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Foreword 


In 1971 Bob Boyer and I began working on an automatic theorem prover for the 
programming language LISP. In my PhD dissertation of 1973, I wrote: 

This paper describes an automatic theorem prover which is capable of pro¬ 
ducing inductive proofs of a large number of interesting theorems about 
functions written in a subset of pure LISP. The program was designed to 
prove theorems in the way a good programmer might intuit them. It has 
several features which make it distinct from other systems concerned with 
proof of program properties: It is fully automatic, requiring no information 
from the user except the LISP definitions of the functions involved and 
the theorem to be proved. It automatically uses structural induction when 
necessary, and automatically generates its own induction formulas. It will 
occasionally generalize the theorem to be proved, and in so doing, often 
‘discovers’ interesting lemmas. Finally, it is capable of writing new, recursive 
LISP functions to help properly generalize a theorem. 

How is mathematical logic used to describe the behavior of functions or programs? 
What is a “theorem?” How do you “prove” theorems? What is an “automatic the¬ 
orem prover?” What do all these mathematical terms—“induction,” “generalization,” 
“lemma”—have to do with programs being “correct?” How can “programmer’s intuition” 
guide a foray into mathematics? How do you think about programs that call themselves 
without just going in circles? 

These are some of the questions Bob and I had to answer when we began writing 
the program described above. Our answers are still evolving 40 years later and are 
currently manifested in ACL2, the “living” descendant of the prover above. 

But while our code is well documented and available for study, the answers to the 
above questions are not always explicit in it. Sometimes, the best way to learn how to 
do something is just to sit down and try to do it. 

There are two problems with that advice and the problems are especially acute 
when mathematical logic is involved. First, you have to understand the “rules of the 
game.” Those rules—if followed exactly—will ensure that what you “prove” is really 
true. Second, it is hard to keep in mind the precise statement of every rule—and if you 
make a mistake you might end up believing something is true when it is not. 

This little book and the accompanying little assistant addresses both of these 
problems. The book itself provides you with a gentle introduction to the mathematics 
behind all of this. It presents “the rules” in a way geared toward the programmer. Indeed 
the rules themselves are largely intuitive to the programmer. Second, the assistant 
enforces the rules for you. But unlike the “automatic theorem provers” that I create, 
their assistant is designed to enforce the rules while allowing you to learn by doing. 

The offer here is: the prover will make sure the “formulas” are formulas and the 
“proofs” are proofs. But you’re the intelligent actor: so what do you do now? 

J Strother Moore 
Austin, Texas 
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Preface 


What does it mean for a statement to be true? Some statements can be verified directly. 
To determine whether a particular omelette is delicious, we merely have to taste the 
omelette. Our answer is imprecise, however. We must wonder: how tasty must a 
“delicious” omelette be? What egg dishes are properly called “omelettes?” Assuming 
our taste test succeeds, we can answer the question for only one omelette at a time. We 
may never know whether all omelettes are delicious, even if each individual omelette we 
try is tasty. 

What does it mean for a statement to be true of a recursive function? It is easy to 
test an individual case. When we evaluate (reverse (reverse '(1 2))), we reach the result 
'(12), exactly as we expect. Furthermore, evaluating a recursive function follows a 
predictable—and fortunately, often simple—set of rules. We can therefore answer more 
general questions. For instance, does (reverse (reverse x)) always produce x for any list? 
We can determine the answer without ever evaluating the expression or even knowing 
the specific value of x. 

Our goal is to teach the reader how to determine facts about recursive functions 
using induction. Our approach is to start with programming concepts such as recursive 
functions and lists, and to lead the reader along the shortest path to inductive proofs. 
We aim to teach enough to verify simple properties such as whether (reverse (reverse x)) 
always produces x for any list, although we leave that particular example as an exercise 
for the reader. 

Understanding how to read, write, and evaluate recursive functions over lists is 
adequate preparation. We assume knowledge of neither logic nor mathematics beyond 
arithmetic. We express as much as we can using simple programming concepts. 
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Notation 

Expressions in the book are written in a language comprised of variables, quoted literals, 
if expressions, and function applications. Functions include nine built-in operators as 
well as user-defined functions, which may be recursive. 

Variable names consist of one or more characters, including letters, numbers, and 
most punctuation; notable exceptions are parentheses and apostrophe. Examples of 
variables are x, +, and variable-namel. 

Quoted literals are preceded by a quote symbol, written ', and include atomic 
“symbols” such as 'banana, natural numbers such as '12, and lists such as '(), 
'(a glass of orange juice), and '(bacon with 2 eggs). Lists may also be arbitrarily deeply 
nested; for example, '((3 slices of toast) or (1 bagel with cream cheese)). 

An if expression has three parts: the question , the answer , and the else. For 
example, (if sleepy 'coffee '(orange juice)) produces 'coffee if sleepy is 't and produces 
'(orange juice) if sleepy is 'nil. 

Function applications include a function name and zero or more arguments. For 
example, (cons x '(with hash browns)), (f x (g y z)), or (do-something). 

The nine built-in functions are: cons, which adds an element to the front of a list; 
car, which returns the first element of a non-empty list; cdr, which returns the tail of a 
non-empty list excluding its first element; atom, which returns 'nil for non-empty lists 
and 't for everything else; equal, which returns 't if its arguments have identical values 
and 'nil otherwise; natp, which returns 't if its argument is a natural number and 'nil 
otherwise; size, which counts the conses needed to build a value; +, which adds two 
natural numbers; and <, which returns 't if its first argument is less than its second 
argument and 'nil otherwise. 

User-defined functions are written with defun, and include the function’s name, a 
list of names for its arguments, and an expression for the function’s body. Function 
definitions may be recursive. For example: 

(defun list-length (xs) 

(if (atom xs) 

'0 

(+ '1 (list-length (cdr xs))))) 


• • 
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Theorems, introduced in chapter 1, are defined with dethm. Much like functions, 
theorem definitions include the theorem's name, a list of names for its arguments, and 
an expression for its body. Since expressions cannot refer to theorems, theorems are not 
recursive. Here is an example: 

(dethm natp/list-length (xs) 

(natp (list-length xs))) 


Guidelines for the Reader 

For those who wish to “play along,” we include a simple proof assistant, J-Bob, defined 
in the same language as the theorems we prove. J-Bob is a program that can check 
each step when attempting to prove a theorem but does not contribute any steps. In 
the appendices, we introduce J-Bob in “Recess,” we present the complete code of every 
example and proof in the book using J-Bob in “The Proof of the Pudding,” and we 
include the implementation of J-Bob in “The Little Assistant.” J-Bob, support to run 
J-Bob in several languages, and the aforementioned proofs are available for download 
at http://the-little-prover.org/. 

Food appears in some examples for two reasons. First, food is easier to visualize 
than abstract symbols (but there will be many short symbols like x, etc.). We hope the 
food imagery helps you to better understand the examples and concepts. Second, we 
want to provide a little distraction. We know how exhausting the subject matter can 
be, thus these breakfast foods are for energizing you. As such, we hope that thinking 
about food will cause you to occasionally set the book aside and have a bite. 

You are now ready to start. Good luck! We hope you enjoy the book. 


Bon appetit! 

Daniel P. Friedman 
Bloomington, Indiana 


Carl Eastlund 
Brooklyn, New York 
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Salutations. 

What are salutations? 

Salutations are a fancy way of saying 
hello or good morning.^ 

Good morning. 

tThank you, E. B. White (1899-1985), for 


Charlotte’s Web. 


Have you read The Little Schemer ? 

3 'nil. 

Oh, so you’ve read The Little LISPer ? 

4 Well, ... 


Do you remember “Cons the 
Magnificent?” 


Certainly.’*’ 

^ Otherwise, continue if you have some famil¬ 
iarity with recursion. 


What is (car (cons 'ham '(eggs))) equal 
to? 


'ham J 

^We write all values as expressions using the 
symbol 1 to denote a literal “quoted” value, rather 
than referring to values outside of expressions. 


7 

Yes. But also (car (cons 'ham '(cheese))), That’s strange, 
(car (cdr (cons 'eggs '(ham)))), 

(car (cons (car '(ham)) '(eggs))), ... 


What value is this expression equal to? 

(car (cons 'ham '(eggs))) 


That’s easy. 

'ham t 

^When we rewrite one expression to another 
that is equal to it, we put them side-by-side. 
They are smaller to accommodate much larger 
expressions. 


Old Games, New Rules 
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Exactly. 


Are there any others? 


No 


Tricky. 


an expression is only equal to one 
value. 


What value is this expression equal to? 

(atom '()) 


That’s easy, too 


What value is this equal to? 

(cons a b) 


We do not know what a and b are 


Does that mean (cons a b) has no value? 


Until we know what a and b are, we do 
not know what value (cons a b) is equal 
to. 


Can we find a value for this expression? 

(atom (cons 'ham '(eggs))) 


14 


Of course 


'nil 


How about this expression? 

(atom (cons a b)) 


We still do not know what a and b are 


Nevertheless, we can figure out what 
value it has. Try again. 


■ni 


because no matter what values the 
variables a and b have, cons cannot 
produce an atom. 


(atom (cons a b)) 


'nil 
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Does this expression have a value? 

(equal 'flapjack (atom (cons a b))) 

17 

Well, we already know that 
(atom (cons a b)) is equal to 'nil. 

How can we use that? 

18 

If we can replace (atom (cons a b)) with 
'nil on its own, then surely we can 
replace the (atom (cons a b)) in 
(equal 'flapjack (atom (cons a b))) with 
'nil. 

In other words, we want to focus on 

19 

So, does that mean we can replace this 

(atom (cons a b)) in the context of the 

focus with 'nil? 

outer equal expressiond 


(equal 'flapjack (atom (cons a b)) 

(equal 'flapjack 'nil 

^We show this by writing the focus in black 


and its context in blue. 


Precisely. In that case, what value is 

20 i -1 

'ml, 

(equal 'flapjack 'nil) equal to? 

of course. 

(equal 'flapjack 'nil) 

'nil 

What value is 

21 'nil, 

(equal 'flapjack (atom (cons a b))) equal 

as we have just seen. 

to? 


How many steps did we take to get from 

22 m 

Two. 

(equal 'flapjack (atom (cons a b))) to 'nil? 


What is the first step? 

23 

In the first step, the focus 


(atom (cons a b)) is equal to 'nil. 


Old Games, New Rules 
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What is the whole expression? 


24 


(equal 'flapjack (atom (cons a b))). 


Where is this focus in the whole It is the second argument to equal, 

expression? 


What is the second step? 


In the second step, the whole expression 
is equal to 'nil. 


Where is the focus in the whole The focus is the whole expression, 

expression? 


What value is this expression equal to? 

(atom (cdr (cons (car (cons p q)) '()))) 


We don’t know what p and q are, but 
perhaps we can find a value anyway. 


What is the first step? 


(atom (cdr (cons (car (cons p q)) '()))) 


The car of (cons p q) is always equal to 
p, regardless of p and q. 

(atom (cdr (cons p '()))) 


And what is the second step? 

(atom (cdr (cons p '())) 


Of course, the cdr of (cons p '()) is 
always equal to '(), regardless of p. 

(atom '()) 


And finally? 


We know that (atom '()) is 't. 


(atom '()) 



That took three steps. Can we do it in We are up to the challenge, 
fewer? 
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How shall we start? 

33 

The cdr of (cons (car (cons p q)) '()) is 
always equal to '(), regardless of p and q. 

(atom (cdr (cons (car (cons p q)) '())) 

(atom '()) 

We have seen this step before. 

And so we are done. 

(atom '()) 

't 

How many axioms have we used? 

35 

What is an axiom? 

An axiom is a basic assumption that is 
presumed to be true. For one example, 
we assume that (atom (cons x y)) is 
always equal to 'nil. For another, we 
assume that (car (cons x y)) is always 
equal to x. We also assume that 
(cdr (cons (car (cons x y)) '())) is always 
equal to '(). Finally, we assume that 
(cdr (cons x '())) is always equal to '(). 

36 

Then we have used four axioms. 

Can we rephrase the third and fourth 
assumptions more generally? 

37 Yes, 

the cdr of (cons x y) is always equal to 
y. Does this mean we have used only 
three axioms? 

Yes. Shall we view our axioms so far? 

We are excited to see them. 


Old Games, New Rules 
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The Axioms of Cons (initial) 


(dethm atom/cons (x y) 

(equal (atom (cons x y)) 'nil)) 


(dethm car/cons (x y) 

(equal (car (cons x y)) x)) 


(dethm cdr/cons (x y) 

(equal (cdr (cons x y)) y)) 


Now that we have names for the axioms, 
we can use them again and again. 


39 


What does dethm mean? 


It means define a theorem. 


40 


What is a theorem? 


A theorem is an expression that is 
always true. When we use dethm, we 
also include a list of the variables used in 
the expression. 


41 


What is the difference between an axiom 
and a theorem? 


Axioms are theorems that are assumed 
to be true, whereas other theorems must 
be shown to be true. 


42 


What does equal mean? 


The function equal tells ns whether two 
values are equal. What is the value of 
this expression? 

(equal 'eggs '(ham)) 


43 


Its value is 'nil, 

because 'eggs is not equal to '(ham) 


'nil 
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Exactly. What is the value of this 
expression? 

44 

It has the same value as 
(car (cons't '(and crumpets))), 

because (cons x y) is always equal to 
(cons x y), regardless of x and y. 

(car 

(cons (equal (cons x y) (cons x y)) 

'(and crumpets))) 

(car 
(cons 't 

'(and crumpets))) 

And, of course, the second step is easy. 

Delicious! 

(car (cons 't '(and crumpets)) 

(car ' (t and crumpets) 

Is this a theorem? 

46 

But, of course! 

(car'(t and crumpets)) 

't 

What is the value of this expression? 

47 

We do not know. It depends on the 

(equal (cons x y) (cons 'bagels '(and lox))) 

values of x and y. 

What else is this expression equal to? 

48 

Perhaps it is equal to many things. 


(equal (cons x y) (cons 'bagels '(and lox))) 


Does the order of the arguments to equal 
matter? 

49 

No, 

(cons x y) is equal to 
(cons 'bagels '(and lox)) in the same 
cases that (cons 'bagels '(and lox)) is 
equal to (cons x y). 

(equal (cons x y) (cons 'bagels '(and lox))) 

(equal (cons 'bagels '(and lox)) (cons x y)) 

Exactly. 

It sounds like we have some new axioms. 


Old Games, New Rules 
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The Axioms of Equal (initial) 


(dethm equal-same (x) 
(equal (equal x x) 't)) 


(dethm equal-swap (x y) 

(equal (equal x y) (equal y x))) 


What is different about equal-swap In the other axioms, the second 

compared to the other axioms we have argument of the outer equal is shorter 

seen thus far? than the first argument. In equal-swap, 

neither argument of the outer equal is 
shorter than the other. 


Does it matter? 



Yes, we think so. 


That’s kind of true. It is useful to know How fascinating. 

how an axiom can simplify an 

expression. For the same reason that 

equal-swap is true, however, we could 

write the axioms in either order without 

changing their meaning. 


What is this focus equal to, according to The car of (cons (cdr x) (car y)) is (cdr x). 
car/cons? 


(cons y 

(equal (car (cons (cdr x) (car y))) 

(equal (atom x) 'nil))) 


(cons y 

(equal (cdr x) 

(equal (atom x) 'nil))) 


What else is this focus equal to, 
according to car/cons? Recall that “is 
equal to” works in both directions. 

(cons y 

(equal (car (cons (cdr x) (car y))) 

(equal (atom x) 'nil))) 


In that case, (car (cons (cdr x) (car y))) is 
equal to many things according to 
car/cons, such as this focus. 

(cons y 

(equal (car (cons 

(car (cons (cdr x) (car y))) 
'(oats))) 

(equal (atom x) 'nil))) 
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Can we use atom/cons here? 

56 

Indeed, we can use atom/cons to replace 
'nil with many different expressions. 

(cons y 

(equal (car (cons (car (cons (cdr x) (car y))) 

'(oats))) 

(equal (atom x) 

-nil))) 

(cons y 

(equal (car (cons (car (cons (cdr x) (car y))) 

'(oats))) 

(equal (atom x) 

(atom 

(cons (atom (cdr (cons a b))) 
(equal (cons a b) c))) 

What is this focus equal to? 

57 

According to cdr/cons, it is equal to 
simply b. 

(cons y 

(equal (car (cons (car (cons (cdr x) (car y))) 

'(oats))) 

(equal (atom x) 

(atom 

(cons (atom (cdr (cons a b)) 

(equal (cons a b) c)))))) 

(cons y 

(equal (car (cons (car (cons (cdr x) (car y))) 

'(oats))) 

(equal (atom x) 

(atom 

(cons (atom b 
(equal (cons a b) c)))))) 

Are there any axioms we have not yet 
used on the example beginning in 
frame 54? 

58 

Yes, equal-same and equal-swap. 

Can we use either of them here? 

59 

Yes, equal-swap. 

(cons y 

(equal (car (cons (car (cons (cdr x) (car y))) 

'(oats))) 

(equal (atom x) 

(atom 

(cons (atom b) 

(equal (cons a b) c) 

(cons y 

(equal (car (cons (car (cons (cdr x) (car y))) 

'(oats))) 

(equal (atom x) 

(atom 

(cons (atom b) 

(equal c (cons a b)) 

What value is this expression equal to? 

(cons y 

(equal (car (cons (car (cons (cdr x) (car y))) 

'(oats))) 

(equal (atom x) 

(atom 

(cons (atom b) 

(equal c (cons a b))))))) 

60 

That is a good question. We do not 
know, but we have had fun playing with 
it so far! 


Old Games, New Rules 
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The Law of Dethm (initial) 

For any theorem (dethm name (x 1 ... x n ) body x ), the vari¬ 
ables x ± ... x n in body x can be replaced with any corre¬ 
sponding expressions e 1 ... e n . The result, body e , can be 
used to rewrite a focus p to become q provided body e is 
either (equal p q ) or (equal q p). 


The axiom’s name is car/cons, x 1 and x 2 
are x and y, respectively, and body x is 

(equal (car (cons x y)) x). 

(dethm car/cons (x y) 

(equal (car (cons x y)) x)) 


61 

Let’s try one more example. In car/cons, 
what are name, £ 1? x 2 , and body x from 
the Law of Dethm? 


To rewrite this focus using car/cons, 
what expressions should we use for e 1 
and e 2 from the Law of Dethm? 

62 

We use (car a) as e 1 and (cdr b) as e 2 . 

(atom (car (cons (car a) (cdr b))) 


In that case, how do we figure out body e 
from the Law of Dethm based on body x l 

63 

If we replace x with (car a) and replace y 

with (cdr b), then body e is 

(equal (car (cons (car a) (cdr b))) (car a)). 

Have we found p and ql 

64 

Given body e , p is 

(car (cons (car a) (cdr b))) and q is 
(car a). Since this focus is p, we may 
replace it with q. 

(atom (car (cons (car a) (cdr b))) 

(atom (car a) 


Now work through frames 55-59 again Sounds challenging, 

using the Law of Dethm for each one. 
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If this gets too challenging, we have an Who is J-Bob? 
assistant named J-Bob that can help. 


J-Bob is a program that helps us rewrite 
one expression to another. J-Bob 
“knows” about all the axioms and the 
Law of Dethm and makes sure we get all 
the details right. 


We can meet J-Bob on page 164, and Must we meet J-Bob to continue 

play along with J-Bob for all of the reading? 

examples in this chapter on page 181. 


Absolutely not, but the deeper we go, And so we shall make a visit, 

the more J-Bob can help. 


That’s probably a good idea. Before we Certainly, 
head over there, perhaps we should 
fortify ourselves with two helpings of our 
favorite breakfast. 



Old Games, New Rules 
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What is this focus obviously equal to? 


a, since the car of (cons a b) is always a. 


(car (cons a b)) 

c 

c) 



What axiom tells us this obvious fact? car/cons, that’s easy. 


What is this expression obviously equal 
to? 

(if a 
c 

c) 


The result of this if is c, regardless of a. 
So perhaps the expression is equal to c. 
But we do not know any axioms that tell 
us this. 


Perhaps we need some axioms about if. If only. 


The Axioms of If (initial) 


(dethm if-true (x y) 
(equal (if't x y) x)) 


(dethm if-false (x y) 
(equal (if 'nil x y) y)) 



(dethm if-same (x y) 
(equal (ifx y y) y)) 



What is this expression obviously equal 
to? 

(if a 
c 

c) 


c, by if-same. 
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What else is c equal to, according to Doesn’t if-same require an if expression? 

if-same? 


If if-same can start with an if expression 
and end with a variable, then it must 
also be able to start with a variable and 
end with an if expression. So... what else 
is c equal to, according to if-same? 

c 


How about this? 


(if (if (equal a 't) 

(if (equal 'nil ’nil) 
a 

b) 

(equal 'or (cons 'black '(coffee)))) 



Absolutely! 


Are there any other such if expressions? 


We can fill in any if question we want, as What are the if question, if answer, and 

long as we keep c as the if answer and if else? 

the if else. 


Every if expression has three parts: Very well, 

(if Q A E). We call them the if question, 
the if answer, and the if else, or Q, A, 
and E for short. 


What value is this focus equal to? 


(if (if (equal a 't) 

(if (equal 'nil 'nil) 
a 

b) 

(equal 'or (cons 'black '(coffee)) 



'(black coffee), which certainly helps us 
focus. 

(if (if (equal a 't) 

(if (equal 'nil 'nil) 
a 

b) 

(equal 'or '(black coffee) 

c 

c) 
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Can we simplify the innermost if 
question? 

(if (if (equal a 't) 

(if (equal 'nil 'nil) 

a 

b) 

(equal 'or '(black coffee))) 
c 

c ) 

12 

Certainly, using equal-same. 

(if (if (equal a 't) 

(if 't 
a 

b) 

(equal 'or '(black coffee))) 
c 

c) 

Do we have to use equal-same to replace 

(equal 'nil 'nil) with 't? 

13 

No. we can always use equal itself, 
because 'nil is a value. 

Can we simplify the innermost if now? 

14 

Yes, by if-true. 

(if (if (equal a 't) 

(if't 
a 

b) 

(equal 'or '(black coffee))) 
c 

c) 

(if (if (equal a 't) 

a 

(equal 'or '(black coffee))) 
c 

c) 

Does the if question (equal a 't) tell us 
anything about this focus? 

(if (if (equal a 't) 

a 

(equal 'or '(black coffee))) 
c 

c) 

15 

Yes, since this focus is in the if answer of 
the question (equal a 't), we know that 
the focus a is equal to 't. 

Can we use that knowledge to rewrite 
the focus in frame 15? 

16 

Presumably. But what axiom allows us 
to replace a with 't? 

We need a new axiom about if and equal. 

17 

We are eager to see it. 


Even Older Games 


17 









The Axioms of Equal (final) 



Which axiom allows us to rewrite a to 't We assume the answer is the new axiom, 
in frame 15? equal-if. But how does this axiom work? 

We cannot use the Law of Dethm, 
because the body of the axiom is not an 
application of equal. 


Then we must revise The Law of Dethm. Interesting. 


The Law of Dethm (final) 

For any theorem (dethm name (x 1 ... x n ) body x ), the vari¬ 
ables x l ... x n in body x can be replaced with any corre¬ 
sponding expressions e 1 ... e n . The result, body e , can be 
used to rewrite a focus as follows: 

1. body e must contain the conclusion (equal p q ) or (equal q p ), 

2. the conclusion must not be found in the question of any 
if or in the argument of any function application, 

3. and if the conclusion can be found in an if answer 
(respectively else), then the focus must be found in an 
if answer (respectively else) with the same question. 
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In equal-if, what are name, aq, x 2 , and 
body x from the Law of Dethm? 


20 


In order to rewrite the focus of frame 15 
using equal-if, what expressions should 
we use for e 1 and e 2 from the Law of 
Dethm? 


21 


In that case, how do we figure out body e 
from the Law of Dethm based on body x l 


22 


What expression contained in body e do 
we use as our conclusion ? 


23 


The expression (equal a 't) is contained 
in body e twice, in the if question and in 
the if answer. Which one is our 
conclusion? 


24 



Is the focus in frame 15 also found in an 
if answer with the if question (equal x y)? 


26 
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The axiom’s name is equal-if, x 1 and x 2 
are x and y, and body x is 

(if (equal x y) (equal x y) 't). 


We use a as e, and 't as e„. 


If we use a for x and 't for y, body e is 

(if (equal a ’t) (equal a 't) 't). 


Our conclusion is (equal a 't), since we 
are rewriting a to 't. 


The expression in the if answer is our 
conclusion, since according to the Law of 
Dethm the conclusion must not be found 
in the question of any if. 


Yes, it is found in the answer of an if 
with the question (equal x y). 


Yes, it is. 


No, it is not. 
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Then according to the Law of Dethm, we 
can rewrite the focus a to become 't. 

(if (if (equal a 't) 
a 

(equal 'or '(black coffee))) 
c 

c) 


Finally. But why is that expression 
orange ? 

(if (if (equal a 't) 

't 

(equal 'or '(black coffee))) 
c 

c) 


We write expressions in orange to draw What is a premise? 
attention. Here, (equal a ’t) is a premise 
that allows us to rewrite the focus^. 

t Orange expressions may be part of a context 
or a focus, even though they are not blue or 
black. In frame 28, the orange expression is in 
a context. In frame 43 of the next chapter, the 
orange expression is in a focus. 


A premise is an if question such that a In frame 28, (equal a ’t) is a premise 

focus can be found in either the if answer because the focus is in the if answer, 

or the if else. In frame 28, why is 
(equal a 't) a premise? 


Let’s walk through another example That’s a good idea. 

using premises and the final Law of 

Dethm. 


Here is a new dethm. Is that really a theorem? 


(dethm jabberwockyt (x) 

(if (brillig x) 

(if (slithy x) 

(equal (mimsy x) 'borogove) 

(equal (mome x) 'rath)) 

(if (uffish x) 

(equal (frumious x) 'bandersnatch) 
(equal (frabjous x) 'beamish)))) 


^Thank you, Lewis Carroll (1832-1898). 
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Perhaps, depending on what brillig, Perhaps. This is a complicated 

slithy, mimsy, mome, uffish, frumious, and expression, and jabberwocky is a 

frabjous mean. For now it is just an complicated dethm. 

example, and we will pretend it is a 

theorem. Can we use jabberwocky to 

rewrite this focus? 

(cons 'gyre 

(if (uffish '(callooh cal lay)) 

(cons 'gimble 

(if (brillig '(callooh ca I lay)) 

(cons 'borogove '(outgrabe)) 

(cons 'bandersnatch '(wabe)))) 

(cons (frabjous '(callooh cal lay)) (vorpal)))) 


In order to use jabberwocky, we must find Yes, the first argument of the last equal 

an equal expression that matches this expression in jabberwocky is (frabjous x). 

focus. Do any of the equal expressions in 
jabberwocky have arguments that are 
similar to (frabjous '(callooh callay))? 


What must we substitute for x to make We must substitute '(callooh callay) for x. 
(frabjous x) equal to the focus? 


Exactly. If we substitute '(callooh callay) 
for x in jabberwocky, we get body e , which 
we created to meet the first condition of 
the Law of Dethm. 

(if (brillig '(callooh callay)) 

(if (slithy '(callooh callay)) 

(equal (mimsy '(callooh callay)) 'borogove) 

(equal (mome '(callooh callay)) 'rath)) 

(if (uffish '(callooh callay)) 

(equal (frumious '(callooh callay)) 'bandersnatch) 
(equal (frabjous '(callooh callay)) 'beamish))) 


We must use the last equal expression, 
(equal (frabjous '(callooh callay)) 'beamish) 
as the conclusion, thus meeting the first 
condition. And if we meet the second 
and third conditions, we could rewrite 
the focus to 'beamish. 


What conclusion must we use to rewrite 
the focus (frabjous '(callooh callay))? 
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Looking at frame 36, is the conclusion 
found in an if question or in the 
argument of a function application? 

37 

No, it is not, thus meeting our second 
condition. 

Still looking at frame 36, is the 
conclusion found in an if answer? 

38 

No, it is not. 

And still looking at frame 36, is the 
conclusion found in an if else? 

39 

Yes, it is found in the else of two ifs, thus 
meeting the first part of the third 
condition. So, now do we have to meet 
the second part of this condition? 

Yes. Still looing at frame 36, what are 
the questions of the ifs that have the 
conclusion in their else? 

40 

The questions of the ifs are 

(brillig '(callooh callay)) and 
(uffish '(callooh callay)). 

Looking at frame 33, is the focus found 
in the else of any ifs with the questions 

(brillig '(callooh ca 1 lay) ) and 
(uffish '(callooh callay))? 

41 

The focus is in the else of an if with the 
question (uffish '(callooh callay)), but it is 
not in the else of an if with the question 
(brillig '(callooh callay)). So, no, it is not. 

Then, we can not use jabberwocky to 
rewrite the focus in frame 33. The 
conclusion from frame 36 does not meet 
the second part of the third condition. 

42 

All that effort, and we still don’t get to 
use jabberwocky. 

Let’s try again. Can we use jabberwocky 
to rewrite this focus instead? 

(cons 'gyre 

(if (uffish '(callooh callay)) 

(cons 'gimble 

(if (brillig '(callooh callay)) 

(cons 'borogove '(outgrabe)) 

(cons 'bandersnatch (wabe)))) 

(cons (frabjous '(callooh callay)) '(vorpal)))) 

43 T-» 

Perhaps. 
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Do any of the equal expressions in 
jabberwocky have arguments that are 
similar to 'bandersnatch? 


44 


Yes, the second argument of the third 
equal expression in jabberwocky is 
'bandersnatch. 


What must we substitute for x to make 
'bandersnatch equal to the focus in 
frame 43? 


45 


The focus in frame 43 is already 

'bandersnatch. 


In that case, we can choose an expression 
to substitute for x that helps our 
conclusion satisfy the conditions of the 
Law of Dethm. 


46 


How do we do that? 


What must we substitute for x to make 
the ‘premises of 'bandersnatch in 
jabberwocky equal to the premises of the 
focus in frame 43? 


47 


Once again, we must substitute 

'(callooh callay) for x. 


And once again, substituting 
'(callooh callay) for x in jabberwocky 
produces the expression in frame 36. 
What conclusion must we use this time? 


48 


The third equal expression, whose 
arguments are (frumious '(callooh callay)) 
and 'bandersnatch, 

because one of equal’s arguments, 
'bandersnatch, is equal to the focus in 
frame 43. 


This conclusion must meet the 
conditions in the Law of Dethm. Is the 
conclusion found in an if question or in 
the argument of a function application? 


49 


No, it is not 


Is the conclusion found in an if answer? 


50 


Indeed it is, since the conclusion, which 
contains equal’s two arguments: 

(frumious '(callooh callay)) and 
'bandersnatch is found in the answer of 
the if question ( uffish '(callooh callay)). 
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Is the focus in frame 43 found in the Yes, it is. 

answer of an if with the question 

(uffish '(callooh callay))? 


Is the conclusion found in an if else? 


Yes, it is found in the else of an if with 
the question (brillig '(callooh callay)). 


Is the focus in frame 43 found in an if Yes, it is. 

else with the if question 

(brillig '(callooh callay))? 


In that case, the conclusion in frame 48 
meets the conditions in the Law of 
Dethm. We can use jabberwocky to 
rewrite the focus in frame 43 with the 
premises written in orange. We can 
rewrite 'bandersnatch to become 
(frumious '(callooh callay)). 

(cons 'gyre 

(if (uffish '(callooh callay)) 

(cons 'gimble 

(if (brillig '(callooh callay)) 

(cons 'borogove '(outgrabe)) 

(cons 'bandersnatch '(wabe)))) 

(cons (frabjous '(callooh callay)) '(vorpal)))) 


0 frabjous day! 


(cons 'gyre 

(if (uffish '(callooh callay)) 

(cons 'gimble 

(if (brillig '(callooh callay)) 

(cons 'borogove '(outgrabe)) 

(cons (frumious '(callooh callay)) (wabe)))) 
(cons (frabjous '(callooh callay)) '(vorpal)))) 


How many more times should we read That’s easy. Exactly as many times as 

the jabberwocky example? needed until it is completely understood. 

But why do we use a pretend theorem? 


Sometimes our intuitions get in the way. Are there other, real theorems that use 

Axioms like car/cons and if-same are easy premises? 

to understand, even without the Law of 

Dethm. Since jabberwocky means 

nothing, we must understand the Law of 

Dethm thoroughly in order to use it. 
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Let’s see. Does the if question 

(equal (cdr (car a)) '(hash browns)) tell us 
anything about this focus? 

(if (atom (car a)) 

(if (equal (car a) (cdr a)) 

'hominy 

'grits) 

(if (equal (cdr (car a)) '(hash browns)) 

(cons 'ketchup (car a) 

(cons 'mustard (car a)))) 


Not really, since that if question tells us 
(cdr (car a)) is equal to '(hash browns), 
and this focus is neither of those 
expressions. 


Does the if question No, since neither the if answer nor the if 

(equal (car a) (cdr a)) tell us anything else of that question contains this focus, 

about this focus? 

(if (atom (car a)) 

(if (equal (car a) (cdr a)) 

'hominy 

'grits) 

(if (equal (cdr (car a)) '(hash browns)) 

(cons 'ketchup (car a) 

(cons 'mustard (car a)))) 


Does the if question (atom (car a)) tell us 
anything about this focus? 

(if (atom (car a)) 

(if (equal (car a) (cdr a)) 

'hominy 

■grits) 

(if (equal (cdr (car a)) '(hash browns)) 

(cons 'ketchup (car a) 

(cons 'mustard (car a)))) 


Yes, since that focus is in the if else of 
the question (atom (car a)), we know 
that (car a) must be a cons with its own 
car and cdr. Perhaps there is an axiom to 
this effect. 
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The Axioms of Cons (final) 


(dethm atom/cons (x y) 

(equal (atom (cons x y)) 'nil)) 


(dethm car/cons (x y) 

(equal (car (cons x y)) x)) 


(dethm cdr/cons (x y) 

(equal (cdr (cons x y)) y)) 


(dethm cons/car+cdr (x) 

(if (atom x) 't (equal (cons (car x) (cdr x)) x))) 


Can we therefore rewrite this focus using 
the premise (atom (car a))? 

(if (atom (car a)) 

(if (equal (car a) (cdr a)) 

'hominy 

'grits) 

(if (equal (cdr (car a)) '(hash browns)) 

(cons 'ketchup 

(car a)) 

(cons 'mustard (car a)))) 


We should be able to rewrite (car a) as a 
cons of its own car and cdr. 

(if (atom (car a)) 

(if (equal (car a) (cdr a)) 

'hominy 

'grits) 

(if (equal (cdr (car a)) '(hash browns)) 

(cons 'ketchup 

(cons (car (car a)) (cdr (car a))) 

(cons 'mustard (car a)))) 


What axiom allows us to rewrite the The axiom cons/car+cdr. 

focus in frame 60? 


Does the if question 

(equal (cdr (car a)) '(hash browns)) tell us 
anything about this focus? 

(if (atom (car a)) 

(if (equal (car a) (cdr a)) 

'hominy 

'grits) 

(if (equal (cdr (car a)) '(hash browns)) 

(cons 'ketchup 

(cons (car (car a) (cdr (car a)) 

(cons 'mustard (car a)))) 


Yes, since this focus is in the if answer of 
the question 

(equal (cdr (car a)) '(hash browns)), we 
know that (cdr (car a)) is equal to 
'(hash browns). 
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Can we use that knowledge as a premise 
to rewrite this focus? 

(if (atom (car a)) 

(if (equal (car a) (cdr a)) 

'hominy 

'grits) 

(if (equal (cdr (car a)) '(hash browns)) 

(cons 'ketchup 

(cons (car (car a) (cdr (car a)) 

(cons 'mustard (car a)))) 


We should be able to rewrite 

(cdr (car a)) as '(hash browns). 

(if (atom (car a)) 

(if (equal (car a) (cdr a)) 

'hominy 

'grits) 

(if (equal (cdr (car a)) '(hash browns)) 
(cons 'ketchup 

(cons (car (car a)) '(hash browns))) 
(cons 'mustard (car a)))) 


Do we know of any axiom that justifies Yes, equal-if. 
the rewrite in frame 63? 


Do we think there are more axioms that There must be. 
use premises? 


The Axioms of If (final) 


(dethm if-true (x y) 
(equal (if't x y) x)) 


(dethm if-false (x y) 
(equal (if 'nil x y) y)) 


(dethm if-same (x y) 
(equal (if x y y) y)) 


(dethm if-nest-A (xyz) 

(if x (equal (if x y z) y) 't)) 


(dethm if-nest-E (xyz) 

(if x 't (equal (if x y z) z))) 
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66 


That does not seem likely. 


Can the axiom if-same rewrite this 
expression? 

(cons 'statement 
(cons 

(if (equal a 'question) 

(cons n '(answer)) 

(cons n '(else))) 

(if (equal a 'question) 

(cons n '(other answer)) 

(cons n '(other else))))) 


Can we rewrite the previous expression 
to this one? 

(cons 'statement 

(if (equal a 'question) 

(cons 

(if (equal a 'question) 

(cons n '(answer)) 

(cons n '(else))) 

(if (equal a 'question) 

(cons n '(other answer)) 

(cons n '(other else)))) 

(cons 

(if (equal a 'question) 

(cons n '(answer)) 

(cons n '(else))) 

(if (equal a 'question) 

(cons n '(other answer)) 

(cons n '(other else)))))) 


Yes we can, using if-same. Apparently 
if-same can rewrite the expression in the 
previous frame, after all. 
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Exactly. How can we use if-same to 
rewrite the expression from frame 66 to 
the expression from frame 67? 



We use if-same where y is 


(if (equal a 'question) 

(cons n '(answer)) 

(cons n '(else))) 

(if (equal a 'question) 

(cons n '(other answer)) 
(cons n '(other else)))). 


(cons 'statement 

(cons 

(if (equal a 'question) 

(cons n '(answer)) 

(cons n '(else))) 

(if (equal a 'question) 

(cons n '(other answer)) 
(cons n '(other else)))) 


and x is (equal a ’question). 

(cons 'statement 

(if (equal a 'question) 

(cons 

(if (equal a 'question) 

(cons n '(answer)) 

(cons n '(else))) 

(if (equal a 'question) 

(cons n '(other answer)) 
(cons n '(other else)))) 

(cons 

(if (equal a 'question) 

(cons n '(answer)) 

(cons n '(else))) 

(if (equal a 'question) 

(cons n '(other answer)) 
(cons n '(other else))))) 


If (equal a ’question) is true in the 
premise, must it also be true in this 
focus? 

(cons 'statement 

(if (equal a 'question) 

(cons 

(if (equal a 'question) 

(cons n '(answer)) 

(cons n '(else))) 

(if (equal a 'question) 

(cons n '(other answer)) 

(cons n '(other else)))) 

(cons 

(if (equal a 'question) 

(cons n '(answer)) 

(cons n '(else))) 

(if (equal a 'question) 

(cons n '(other answer)) 

(cons n '(other else)))))) 



Yes, truly, according to if-nest-A. 


(cons 'statement 

(if (equal a 'question) 

(cons 

(cons n '(answer)) 

(if (equal a 'question) 

(cons n '(other answer)) 
(cons n '(other else)))) 

(cons 

(if (equal a 'question) 

(cons n '(answer)) 

(cons n '(else))) 

(if (equal a 'question) 

(cons n '(other answer)) 
(cons n '(other else)))))) 
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If (equal a ’question) is false in the 
premise, must it also be false in this 
focus? 

70 

Yes, certainly, according to if-nest-E 

(cons 'statement 

(cons 'statement 

(if (equal a 'question) 

(if (equal a 'question) 

(cons (cons n '(answer)) 

(cons (cons n '(answer)) 

(if (equal a 'question) 

(if (equal a 'question) 

(cons n '(other answer)) 

(cons n '(other answer)) 

(cons n '(other else)))) 

(cons n '(other else)))) 

(cons 

(cons 

(if (equal a 'question) 

(cons n '(else)) 

(cons n '(answer)) 

(if (equal a 'question) 

(cons n '(else))) 

(cons n '(other answer)) 

(if (equal a 'question) 

(cons n '(other answer)) 

(cons n '(other else)))))) 

(cons n '(other else)))))) 


71 


If (equal a ’question) is true (false) in the 
premise, must it also be true (false) in 
the focus? 

Yes, truly (and certainly), 
if-nest-A (and if-nest-E). 

according to 

(cons 'statement 

(if (equal a 'question) 

(cons (cons n '(answer)) 

(if (equal a 'question) 

(cons n '(other answer)) 

(cons n '(other else))) 

(cons (cons n '(else)) 

(if (equal a 'question) 

(cons n '(other answer)) 

(cons n '(other else))) 

(cons 'statement 

(if (equal a 'question) 

(cons (cons n '(answer)) 

(cons n '(other answer)) 

(cons (cons n '(else)) 

(cons n '(other else)) 


What expression do we start with in 
frame 66? 

72 

(cons 'statement 
(cons 

(if (equal a ’question) 

(cons n '(answer)) 

(cons n '(else))) 

(if (equal a ’question) 

(cons n '(other answer)) 

(cons n '(other else))))). 
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What expression do we end up with in 
frame 71? 


(cons 'statement 
(if (equal a 'question) 

(cons (cons n '(answer)) 
(cons n '(other answer))) 
(cons (cons n '(else)) 

(cons n '(other else))))). 


How many if expressions are in frame 72? Two. 


How many if expressions are in frame 73? One. 


Is that interesting? 


76 


Indeed, it is. 


How is J-Bob doing? We still have not met J-Bob. 


Now would be an excellent time to take a Maybe this is a good time to give J-Bob 
recess, meet J-Bob on page 164, and play a try. 
through this chapter on page 182. 


Don’t go when tired and hungry. 


We can have a plate of waffles topped 
with butter, syrup, and strawberries 
while we meet J-Bob. 
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What value is (pair 'sharp 'cheddar) equal '(sharp cheddar). 

to? 


What value is (first-of (pair 'baby 'swiss)) 'baby, 
equal to? 


What value is 'jack. 

(second-of (pair 'monterey 'jack)) equal 

to? 


Are these our favorite omelette Perhaps, 

ingredients? 


Here is the function pair. No surprises here. 

(defun pair (x y) (defun first-of (x) 

(cons x (cons y '()))) (car x)) 


Now define first-of and second-of. And none here, either. 



Is the claim first-of-pair a theorem? 


A claim is an as-yet unproven theorem. So far first-of-pair does not appear to be 

a theorem, since none of the axioms we 
know at this point can be used here. 
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Let’s try to prove the claim first-of-pair. 

How do we prove a claim? 

We prove a claim by writing a proof, of 

course. 

g 

And what is a proof? 


A proof is a sequence of rewriting steps Let’s get started, 
that ends in 't. If we can rewrite a claim, 
step by step, to 't, then that claim is a 
theorem. 


Since (pair x y) is (cons x (cons y '())), (cons a (cons b '())). 

what must (pair a b) be? 


The Law of Defun (initial) 

Given the non-recursive function 
(defun name (x 1 ... x n ) body ), 

(name e x ... e n ) = body where x 1 is e 19 ..., x n is e n . 


Apply the Law of Defun using the 
definition of pair. 

(equal (first-of (pair a b)) a) 


The body of pair is (cons x (cons y '())), 
and we replace x with a and y with b. 

(equal (first-of (cons a (cons b '()))) a) 


What axiom applies here? 

(equal (first-of (cons a (cons b '()))) a) 


No axiom, but we can apply the Law of 
Defun using first-of. 

(equal (car (cons a (cons b '()))) a) 
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Is the proof done yet? 

14 

Yes, once we use car/cons and 
equal-same. 

(equal (car (cons a (cons b '()))) a ) 

't 

Is first-of-pair a theorem? 

15 Yes, 

by the Law of Defun, car/cons, and 
equal-same. 

Which function definitions does the 
proof use? 

16 

It uses pair and first-of. 

(dethm second-of-pair (a b) 

(equal (second-of (pair a b)) b)) 

Is second-of-pair a theorem? 

17 

We shall find out. 

Use the definition of second-of. 

18 

We rewrite the focus using the Law of 
Defun. 

(equal (second-of (pair a b)) 

(equal (car (cdr (pair a b))) b) 

Now use the definition of pair. 

Easily done. 

(equal (car (cdr (pair a b) 

(equal (car (cdr (cons a (cons b '())) 


What next? Use cdr/cons, then car/cons. 


(equal (car (cdr (cons a (cons b '())))) 5) 

(equal b b) 


Correct. Does this focus reduce to 't? Yes, 


(equal b b) 

by equal-same. 

't 
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Is second-of-pair a theorem? 


22 


Yes, 


by car/cons, cdr/cons, equal-same 
second-of, and pair. 


In first-of-pair, we used the Law of Defun 
on pair first, but in second-of-pair, we 
used the Law of Defun on pair second. 


23 


Does that order matter? 


No, 


not in this particular case. 


24 


Can the order ever matter? 


Certainly, depending on the proof. 


25 


Can we always find a proof, whichever 
order we choose first? 


If we can find a proof one way, we can 
always find it another. If the second way 
goes wrong, we can “back up” to where 
we started and do it the first way again. 
But some approaches will find a proof 
faster than others. 


26 


That is useful to know 


What does in-pair? do? 

(defun in-pair? (xs) 

(if (equal (first-ofxs) '?) 


27 


(equal (second-of xs) '?))) 


The function in-pair? determines whether 
the two-element lisC xs contains '?. 


tOf course, in-pair? works on more inputs 
than just two-element lists. See chapter 4. 


We can try to prove this claim. 

(dethm in-first-of-pair (b) 

(equal (in-pair? (pair '? b)) 't)) 


28 


So in other words, prove the claim that 
in-pair? finds '? when it is the first 
element of a list? 
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Yes. Shall we begin? 

29 

First we use the definition of pair. 

(equal (in-pair? (pair '? b) 

■t) 

(equal (in-pair? (cons '? (cons b '())) 

’t) 

What now? 

Now we use the definition of in-pair?. 

(equal (in-pair? (cons '? (cons b '()))) 

■t) 

(equal (if (equal (first-of (cons '? (cons b '()))) 

'?) 

't 

(equal (second-of (cons '? (cons b '()))) 

'?)) 

't) 

And? 

31 

Next, we use the definition of first-of. 

(equal (if (equal (first-of (cons '? (cons b '()))) 

'?) 

't 

(equal (second-of (cons '? (cons b '()))) 

'?)) 

■t) 

(equal (if (equal (car (cons '? (cons b '()))) 

'?) 

't 

(equal (second-of (cons '? (cons b '()))) 

'?)) 

■t) 

Can we simplify further? 

32 

Yes, using car/cons and equal-same. 

(equal (i (equal (car (cons '? (cons b '()))) 

'?) 

't 

(equal (second-of (cons '? (cons b '()))) 

'?)) 

't) 

(equal (if 't 

't 

(equal (second-of (cons '? (cons b '()))) 

'?)) 

’t) 

Our claim looks simple from here. 

33 

It certainly does. 

(equal (if 't 

't 

(equal (second-of (cons '? (cons b '()))) 

'?)) 

’t) 

't 
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Is in-first-of-pair a theorem? 

34 Yes, 

by car/cons, equal-same, if-true, pair, 
in-pair?, and first-of. 

Here’s a similar claim. 

35 

This time, do we need to prove that 

— 

(dethm in-second-of-pair (a) 

(equal (in-pair? (pair a '?)) 't)) 

in- pair? finds '? when it is the second 
element of a two-element list? 

Exactly. Use pair first. 

This is a familiar step. 

(equal (in-pair? (pair a '?) 

’t) 

(equal (in-pair? (cons a (cons '? '())) 

’t) 

Is this step familiar, too? 

Yes, here we use in-pair?. 

(equal (in-pair? (cons a (cons '? '()))) 

’t) 

(equa (if (equal (first-of (cons a (cons '? '()))) 

'?) 

't 

(equal (second-of (cons a (cons '? '()))) 

'?)) 

’t) 


And then? 

38 

We can use first-of and car/cons in the if 
question. 

(equal (if (equal (first-of (cons a (cons '? '()))) 

'?) 

't 

(equal (second-of (cons a (cons '? '()))) 

'?)) 

’t) 

(equal (if (equal a 

't 

(equal (second-of (cons a (cons '? '()))) 

'?)) 

’t) 


Does the if question help in our proof of 
in-second-of-pair? 

39 

The if question is (equal a '?), but we 
don’t know whether a is equal to '?. 
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In that case, let’s skip to the if else. 

40 

Okay. In the if else, we use second-of. 

(equal (if (equal a '?) 

't 

(equal (if (equal a '?) 

't 

L 

(equal (second-of (cons a (cons '? '()))) 

L 

(equal (car (cdr (cons a (cons '? '())))) 

'?)) 

■?)) 

’t) 

■*) 

Here are two easy steps. 

41 

Indeed. 

(equal (if (equal a '?) 

't 

(equal (if (equal a '?) 

't 

L 

(equal (car (cdr (cons a (cons '? '())))) 

L 

(equal '? '?)) 

'?)) 

’t) 

’t) 


Obviously, '? is equal to '?. 

42 

That is indeed obvious. 

(equal (if (equal a '?) 

't 

(equal (if (equal a '?) 

't 

L 

(equal '? '?) 

'0 

’t) 

’t) 

Can we rewrite this if question now? 

No, but that is fine. We do not need its 


value after all. 

(equal (if (equal a '?) 

1 + 

't 

■t) 


’t) 



Insight: Skip Irrelevant Expressions 

Rewriting a claim to't does not have to go in any particular 
order. Some parts of the expression might be skipped en¬ 
tirely. For example, if-same can simplify many if expressions 
to 't regardless of the if question. 
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Now have we proved in-second-of-pair? 


44 


Yes, by car/cons, cdr/cons, equal-same, 
if-same, pair, in-pair?, first-of, and 
second-of. 


Did we need to use first-of? 


45 


No, so our proof should be shorter, right? 


Could be. Try out shorter proofs with 
J-Bob on page 183. 


46 


Now that we have met J-Bob, we can’t 
wait. 


Don’t rush to the next chapter. Take 
some time off and have a healthy snack 


47 


Should we read this chapter one more 
time? 


Perhaps. 


Perhaps we shall, over a bowl of oatmeal, 
dates, and blueberries. 
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What value is (listO? 'oatmeal) equal to? 'nil, 

because 'oatmeal is not a list. 

What value is (listO? '()) equal to? 't, 

because '() is the empty list. 


What value is (listO? '(toast)) equal to? 'nil, 

because the list '(toast) is not empty. 


Is listO? total? What does “total” mean? 


“listO? is total ” means that no matter In that case, listO? is total if equal is 

what value v is passed to listO?, the total, 

expression (listO? v) has a value. 


The function equal is total. Then listO? is total. 


(defun listO? (x) 
(equal x '())) 


(defun listO? (x) 

(if (equal x 'oatmeal) 

'nil 

(if (equal x '()) 

't 

(if (equal x '(toast)) 
'nil 

'nil)))) 


Define listO?. 


Very funny. Try again. 
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How do we arrive at that answer? 


9 


Well put. Take a bow. 


What value is (listl? ’oatmeal) equal to? 


What value is (listl? '()) equal to? 


What value is (listl? '(toast)) equal to? 



There’s no rush. We can take our time 
with this. 


44 


The function listO? applies equal to x and 
'(). As long as equal has a value for all 
arguments, listO? does as well. 

Grazie. 


because 'oatmeal is not a list. 


because the list '() does not have 
exactly one element. 


because '(toast) is a list of one element. 


because '(raisin oatmeal) is not a 
one-element list. 


(defun listl? (x) 

(if (atom x) 

'nil 

(listO? (cdr x)))) 


We have to think about that. This 
function is more complicated than listO?. 

The if question in listl? asks atom of x. Is 
atom total? 
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Yes, atom is total. 


18 


An if expression produces either its 
answer or its else no matter what value 
its question has. 





We are only concerned with the result of 
cdr on conses; (cdr 'grapefruit) must have 
a value, but that is all we need to know. 


23 
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What about if? 


In other words, as long as an if’s 
question, answer, and else have values, 
the if expression does too. 


Okay. And what about cdr and car? Are 
they total functions? 


That’s surprising! 


What value is (cdr 'grapefruit) equal to? 


What about (cdr '())? 


Do we need to know what its value is? 


All right. What about (car '())? 


We are ready to answer the question in 
frame 16. 


Yes, 

because atom, cdr, and listO? are total, 
and the if’s question, answer, and else 
all have values. 
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What value is (Iist2? 'oatmeal) equal to? 


28 


m 


predictably. 


What value is (Iist2? '(hash browns)) 
equal to? 


because '(hash browns) is a 
two-element list. 


30 

What value is 'nil, 

(Iist2? '(vinegared hash browns)) equal to? because '(vinegared hash browns) is not 

a two-element list. 


Define Iist2?. 


31 


(defun Iist2? (x) 
(if (atom x) 


m 


(listl? (cdr x)))) 


Is Iist2? total? 

32 Yes, 


for all the same reasons that listl? is 
total. 

Do we understand what total functions 
are now? 

33 TV 

Perhaps. 

In that case, we can update the Law of 
Defun. 

Really? 




The Law of Defun (final) 


Given the total function (defun name (x 1 . .. x n ) body), 
(name e 1 ... e ) = body where x 1 is e 1 , .. x n is e . 
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Yes. Now that we know what “total” 
means, we can use the Law of Defun for 
any total function, including all 
non-recursive functions and many 
recursive functions. 

Good question. Our axioms and laws tell 
us which expressions have equal values. 

If an expression does not have a value, 
our axioms and laws do not apply. 


Functions that are not total are called 
partial functions. Here is one. 



What value is (partial 'nil) equal to? 


We can try to prove this claim. 



Nevertheless, let’s try to prove that 'nil is 
equal to 't. 


Expand the claim using if-same, where x 
is (partial x) and y is 'nil. 
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But why does it matter if a function is 
total? 
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Expand the if answer below using the 
premise written in orange and if-nest-A 
where x is (partial x), y is 'nil, and z is 't. 

(if (partial x) 

'nil 

'nil) 

That is simple as well. 

(if (partial x) 

(if (partial x) 

'nil 

’t) 

'nil) 

Now expand the if else similarly, using 

42 

Very well. 

the orange premise and if-nest-E where x 


is (partial x), y is't, and z is 'nil. 


(if (partial x) 

(if (partial x) 

(if (partial x) 

(if (partial x) 

'nil 

'nil 

’t) 

't) 

'nil) 

(if (partial x) 


'nil) 


Next, use partial in both focuses. 

Okay. 

(if (partial x) 

(if (partial x) 

(partial x) 

(if (partial x) 

'nil 

'nil 

’t) 

't) 

(partial x) 

'nil 

't 

4) 

■nil)) 

(if (partial x) 


'nil 


't) 


't 


'nil)) 
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Now use if-nest-A and if-nest-E and the 
premise (partial x) to drop the new ifs. 

(if (partial x) 

(if (partial x) 

'nil 

■t) 

'nil 

't) 

(if (partial x) 

'nil 

■t) 

■t 

'nil)) 

44 

interesting. 

(if (partial x) 

(if 'nil 

'nil 

’t) 

(if 't 
't 

'nil)) 

Simplify these ifs. 

45 

Easy. We use if-false and if-true. 

(if (partial x) 

(if 'nil 
'nil 

’t) 

(if't 
't 

'nil)) 

(if (partial x) 

't 

■t) 

Now use if-same. 

How inconsistent! We have just shown 
that 'nil is equal to 't. 

(if (partial x) 

't 

’t) 

't 

Have we? 

47 

We started with 'nil and used if-same, 
if-false, if-true, if-nest-A, if-nest-E, and 
partial to rewrite the claim to 't. 

Wrong! 

48 

Why? 

Isn’t this exactly what we did? 


Remember: the Law of Defun only works Does that mean 'nil is not equal to 't? 

for total functions. And partial is not 

total. 
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Exactly right. 


50 



50 


What a relief! 

Otherwise, it would be impossible to 
imagine this book. 

But, aren’t there any total functions that 
we could use to prove contradiction? 

Now it is clear why total functions 
matter! 

How many more functions like this are 
there? 

That will take forever and ever. 


Certainly. How about recursion? 


(defun list? (x) 

(if (atom x) 

(equal x '()) 
(list? (cdr x)))) 


It produces 't if its argument is a list; 
that is, either '() or a cons whose cdr is 
also a list. Otherwise, list? produces 'nil. 

We think so. Every value is a list, or it is 
not a list. ^ 

^We do not consider infinite lists or circular 
lists; we only consider values that can be con¬ 
structed by finite programs using the operators 
we present. 
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But are we sure? 


58 


Look again at the definition of list? in 
frame 55. 


59 



So far, so good. We know that 
(list? (cdr x)) passes a value to list? that 
has fewer conses than it started with. 
And we know that if we do this enough 
times, we will reach an atom. 


65 



Our claim is that the measure of list? 
decreases on every recursive call. 


67 


Part of This Total Breakfast 


We are not certain. 


In order for the if to have a value, its 
question, answer, and else must, too. 


We already know that atom is total. 


The answer of the if is obvious. 


For that, we need to know that cdr and 
list? are total. 


Wait a minute! 


To find out whether list? is total, we 
need to know whether list? is total. But 
isn't that where we started? 


That makes sense, but it’s hardly a 
proof. 


What, exactly, is the claim? 


What is a measure? 
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A measure is an expression that is And what is list?’s measure? 

included with a function definition. It 

may only refer to previously defined, 

total functions and to the function 

definition’s formal arguments. The 

measure must produce a natural number 

that decreases for every recursive call to 

the function. 


The measure of list? is (size x). What is size? 

(defun list? (x) 

(if (atom x) 

(equal x '()) 

(list? (cdr x)))) 

measure: (size x) 


We count the conses in a value using size. 
What value is (size '((1 (a 2)) b)) equal 
to? 


70 


That is easy: '6 


Exactly. What value is 

That is also '6. 

(size '((10 (A 20)) B)) equal to? 


Precisely. What about 

72 i 

'4. 

(size '(10 (A 20)))? 


And (size ’10)? 

73 

That is 0, because there are no conses in 


'10. 
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Now we can state the claim that list? is 
total: 


74 


Indeed, (cdr x) has been built with one 
fewer cons than x. 


“If x is not an atom, then (size (cdr x)) 
must be smaller than (size x).” 

Is this claim true? 

Is there an axiom that tells us that the 
measure (size x) is a natural number? 


The Axioms of Size 



Here is the totality claim: 

(if (natp (size x)) 

(if (atom x) 

't 

(< (size (cdr x)) (size x))) 

' nil) t 

The function natp tells whether its 
argument is a natural number , meaning 
0 , 1 , 2 , ... 

^See how this claim is constructed from the 
definition of list? and its measure in chapter 8. 
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Yes, 

and (natp (size x)) states that the 
measure cannot decrease forever. 

76 

Ready and willing with these new 
axioms. 


Are we ready to prove that list? is total? 


Can we use natp/size? 

77 

And off we go! 

(natp (size x)) 

(if (atom x) 

't 

(< (size (cdr x)) (size x))) 

'nil) 

(if 't 

(if (atom x) 

't 

(< (size (cdr x)) (size x))) 

'nil) 

One if down. 

78 

And one to go. 

(if't 

(if (atom x) 

't 

(< (size (cdr x)) (size x))) 

'nil) 

(if (atom x) 

't 

(< (size (cdr x)) (size x))) 

What do we know about comparing sizes 
using the orange premise below? 

79 

We know size/cdr. 

(if (atom x) 

't 

(< (size (cdr x)) (size x)) 

(if (atom x) 

't 

't) 

And now we are done. 

Yes, we are, by if-same. 

(if (atom x) 

't 

’t) 

't 

We have just proved that list? is total. 

81 

Must we prove that every function is 
total? 
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Yes, 


82 


Let’s do it 


but since all non-recursive functions 
have the same measure and totality 
claim, we can just prove them all total 
at once. 


Here is the claim that a non-recursive 
function is total. 


83 


Interesting, the claim for a non-recursive 
function to be total is 't. The proof 
completes itself! 


84 


Now we know that many functions that What about other kinds of recursion? 
use recursion on lists can be total. 


The function sub replaces every '? in its 
second argument with the value of its 
first argument. What value is (sub 't '?) 
equal to? 


85 


because sub replaces '? with 't 


What value is (sub '(a ? b) '(x ? y)) 
equal to? 


86 


(x (a ? b) y), 

because sub replaces '? in '(x ? y) with 
'(a ? b). 


What value is 

(sub 'and 

'(ham (? eggs) ? (toast (?) butter))) 
equal to? 


87 


(ham (and eggs) and (toast (and) butter)) 
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Define sub. 

(defun sub (x y) 

(if (atom y) 

(if (equal y '?) 

X 

y) 

(cons (sub x (car y)) 

(sub x (cdr y))))) 

measure: (size y) 



. 89 

The definition of sub does come with a 

We hope that (size y) is the appropriate 

measure. Well done. 

measure. 

90 

Here is the claim that sub is total. 

We know that (size y) is a natural 


number. 

(if (natp (size y)) 

(if (atom y) 

(if (atom y) 

't 

't 

(if (< (size (cary)) (size y)) 

(if (< (size (car y)) (size y)) 

(< (size (cdry)) (size y)) 

(< (size (cdry)) (size y)) 

'nil)) 

■nil)) 


'nil) 


91 

This proof is going quickly. And the 

size/car and size/cdr, using the premise 

finale? 

(atom y). 

(if (atom y) 

(if (atom y) 

't 

't 

(< (size (cary)) (size y)) 

(if 't 

(< (size (cdry)) (size y)) 

't 

'nil)) 

'nil)) 

92 

Are there any other kinds of recursion we 

How about the recursion in partial? Are 

can try to prove total? 

we sure we can’t prove that total? 
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Good idea. Is partial total? 

(if (natp (size x)) 

(if (< (size x) (size x)) 


93 


nil) 


nil) 


We can take off the outer if, at least 


(if (< (size x) (size x)) 
't 

'nil) 


And then what? 


94 


We do not know. This claim looks 
false—hopefully (size x) is not less than 
(size x)! 


Exactly. And that is why partial is 
partial. 


95 


That’s clear 


Time for a recess? 


96 


J-Bob awaits on page 184. 


First let’s finish our breakfast 


97 


It is the most important meal of the day. 
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Is memb?t familiar? 


(defun memb? (xs) 

(if (atom xs) 

'nil 

(if (equal (car xs) '?) 

't 

(memb? (cdr xs))))) 


tThe name memb? ends with a ? not because 
it searches for '? but because it always returns 't 

or 'nil. 


Yes, 

it is sort of an old acquaintance, but it 
is just checking to see if there is a '? in 
xs. 


Is remb familiar, too? 

(defun remb (xs) 

(if (atom xs) 

'0 

(if (equal (car xs) ’?) 
(remb (cdr xs)) 

(cons (car xs) 

(remb (cdr xs)))))) 


Yes, 

this one has also been around for a 
while. Are these functions total? 


Perhaps they are. Here is memb? with a What must we prove? 
measure. 

(defun memb? (xs) 

(if (atom xs) 

'nil 

(if (equal (car xs) '?) 

't 

(memb? (cdr xs))))) 
measure: (size xs) 


Think It Over, and Over, and Over 
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Here is the claim that memb? is total. 

(if (natp (size xs)) 

(if (atom xs) 

't 

(if (equal (car xs) '?) 

't 

(< (size (cdrxs)) (size xs)))) 

'nil) 


We start by using natp/size and if-true. 

(if (atom xs) 

't 

(if (equal (car xs) '?) 

't 

(< (size (cdrxs)) (size xs)))) 


As in the proof of list?’s totality, size/cdr 
reduces this focus using the premise 
(atom xs). 

(if (atom xs) 

't 

(if (equal (car xs) '?) 

't 

(< (size (cdr xs)) (size xs)) 


And that’s that. 


(if (atom xs) 

't 

(if (equal (car xs) '?) 
't 

’t)) 


Here is the measure of remb. 

(defun remb (xs) 

(if (atom xs) 

'() 

(if (equal (car xs) '?) 
(remb (cdr xs)) 

(cons (car xs) 

(remb (cdr xs)))))) 

measure: (size xs) 


The function size is a versatile measure. 
What is the totality claim for remb? 


Here is the totality claim. 


(if (natp (size xs)) 

(if (atom xs) 

't 

(< (size (cdr xs)) (size xs))) 


Once again, we can start with natp/size 
and if-true. 

(if (atom xs) 

't 

(< (size (cdr xs)) (size xs))) 
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And then? 


(if (atom xs) 

't 

(< (size (cdr xs)) (size xs)) 


size/cdr finishes the job using the 
premise (atom xs). 

(if (atom xs) 

't 

’t) 


Can we prove memb?/rembO, which We can try. 

states that remb removes '? from a 
0-element list? 

(dethm memb?/rembO () 

(equal (memb? (remb '())) 'nil)) 


Go right ahead. 

(equal (memb? 

(remb '()) 

'nil) 


We start by using remb, replacing xs by 

'()■ 

(equal (memb? 

(if (atom '()) 

'() 

(if (equal (car '()) '?) 

(remb (cdr '())) 

(cons (car '()) 

(remb (cdr '()))))) 

'nil) 


Can the outer if expression be simplified? 


Sure, using atom and if-true, because '() 
is an atom. 


(equal (memb? 

(if (atom '()) 

'() 

(if (equal (car '()) '?) 
(remb (cdr '())) 
(cons (car '()) 

(remb (cdr '()))))) 



(equal (memb? 

'()) 

'nil) 


Think It Over, and Over, and Over 
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Now we can use memb?. 



Once again, xs is '(). 


(equal (memb? '()) 

'nil) 


(equal (if (atom '()) 

'nil 

(if (equal (car '()) '?) 

't 

(memb? (cdr '())))) 


Here is (atom '()) again. 


(equal (if (atom '()) 

'nil 

(if (equal (car '()) '?) 

't 

(memb? (cdr '())))) 


Yes, and after a few simple rewrites this 
proof is done. 

(equal 'nil 
'nil) 


Is memb?/rembO a theorem? 



How did we prove it? 


By atom, equal-same, if-true, memb? and 
remb. 


When did we use memb? and remb? 



When their arguments were '(). 


Were their arguments always '()? 


No, 

in frame 10 the argument of memb? 
was an if expression. 


How did we reduce the argument of By using axioms and theorems to 

memb? to '()? simplify ifs and function applications. 


What would have happened if we had 
used memb? before simplifying its 
argument? 


The entire if in its argument would be 
duplicated for each occurrence of xs in 
the definition of memb?. 
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What would that have done to the proof We might have had to simplify the 
of memb?/rembO? duplicated if expression three times 

instead of once. 


Insight: Rewrite from the Inside Out 

Rewrite an expression from the “inside” out, starting inside 
if answers, if elses, and function arguments. Simplify the 
arguments of a function application as much as possible, 
then use the Law of Defun to replace the application with 
the function’s body. Rewrite if questions as necessary to 
use theorems that require premises. Proceed to outer 
expressions when inner expressions cannot be simplified. 


Is memb?/rembl a theorem? 


21 


We shall see 


(dethm memb?/rembl (xl) 
(equal (memb? 

(remb (cons xl '()))) 
'nil)) 


As with memb?/rembO, use remb first. 


22 


That claim grew a lot! 


(equal (memb? 

(remb (cons xl 

'nil) 


()))) 


(equal (memb? 

(if (atom (cons xl '())) 

'() 

(if (equal (car (cons xl '())) '?) 
(remb (cdr (cons xl '()))) 
(cons (car (cons xl '())) 

(remb (cdr (cons xl '())))))) 

'nil) 


Why did it grow so much? 


We substitute xs with the much wider 
(cons xl '()) and xs appears five times in 
the body of the definition of remb. 


Think It Over, and Over, and Over 
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Next? 

24 

The expression (cons xl '()) is never an 
atom. 

(equal (memb? 

(if (atom (cons xl '())) 

■o 

(if (equal (car (cons xl '())) '?) 

(remb (cdr (cons xl '()))) 

(cons (car (cons xl '())) 

(remb (cdr (cons xl '())))))) 

'nil) 

(equal (memb? 

(if (equal (car (cons xl '())) '?) 

(remb (cdr (cons xl '()))) 

(cons (car (cons xl '())) 

(remb (cdr (cons xl '()))))) 

'nil) 

Now what? 

25 

Piece of cake. We use car/cons twice and 
cdr/cons twice. 

(equal (memb? 

(if (equal (car (cons xl '())) 

(remb (cdr (cons xl '())) 

(cons (car (cons xl '())) 

(remb (cdr (cons xl '())) 

'nil) 

(equal (memb? 

(if (equal xl 
(remb '() 

(cons xl 
(remb '())))) 

'nil) 

And now? 

26 

The argument to these two identical 
function applications of remb is '() and 
thus cannot be simplified any more. We 
could use the Law of Defun and rewrite 
the applications. 

(equal (memb? 

(if (equal xl '?) 

(remb '()) 

(cons xl (remb '())))) 

'nil) 

Good point. But do we want to rewrite 
these applications? 

27 Why not? 

Have we seen the application (remb '()) 
before? 

28 Yes, 

it shows up in the theorem 
memb?/rembO in frame 9. 
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Is that significant? 


Perhaps we can use memb?/rembO to 
prove memb?/rembl. 


The theorem memb?/rembO rewrites In that case, we should not remove the 

(memb? (remb '())) to 'nil. two occurrences of (remb '()) from our 

expression. 


And? We should try to rewrite the expression 

so that (remb '()) is the argument of 
memb?. 


Exactly! How can we do that? 


Perhaps we can rewrite the if. 

(equal (memb? 

(if (equal xl '?) 

(remb '()) 

(cons xl (remb '())))) 

'nil) 


Can we use if-true or if-false? 



No, 

we do not know whether (equal xl '?) 
is true or false. 


Can we use if- same? 



No, 

we cannot rewrite (remb '()) to 
(cons xl (remb '())). 


If we do not know whether the if s We do not know. Is there a way? 

question is true, and the answer and else 
are not the same, how can we rewrite the 

if? 


Think It Over, and Over, and Over 
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There is. Recall the rewriting steps in This is certainly familiar, 

frames 66-71 of chapter 2. First, we have 


to create a new if using if-same. 

(equal (memb? 

(if (equal xl '?) 

(remb '()) 

(cons xl (remb '())))) 

'nil) 


(equal (if (equal xl '?) 

(memb? 

(if (equal xl '?) 

(remb '()) 

(cons xl (remb '())))) 
(memb? 

(if (equal xl '?) 

(remb '()) 

(cons xl (remb '()))))) 


Can we simplify the argument of memb? 
using the new if question? 

(equal (if (equal xl '?) 

(memb? 

(if (equal xl '?) 

(remb '()) 

(cons xl (remb '()))) 

(memb? 

(if (equal xl '?) 

(remb '()) 

(cons xl (remb '()))))) 


We can. In the new if answer, we know 
that xl is equal to '?. We use if-nest-A to 
drop the if in this focus. 

(equal (if (equal xl '?) 

(memb? 

(remb '()) 

(memb? 

(if (equal xl '?) 

(remb '()) 

(cons xl (remb '()))))) 

'nil) 


Are we done using the new if? 


(equal (if (equal xl '?) 

(memb? (remb '())) 
(memb? 

(if (equal xl '?) 

(remb '()) 

(cons xl (remb '()))) 


In the new if else, xl is not equal to '?. 
We use if-nest-E to drop another if. 

(equal (if (equal xl '?) 

(memb? (remb '())) 

(memb? 

(cons xl (remb '())) 

'nil) 
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Here is the familiar expression from 
memb?/rembO that we anticipated in 
frame 31. 

(equal (if (equal xl '?) 

(memb? (remb '())) 

(memb? 

(cons xl (remb '())))) 

'nil) 


Rewriting the entire application of 
memb? in a new if helps a lot! And now 
the if question (equal xl '?) is entirely 
outside the application. 



If Lifting 

To move an if question from inside a focus to outside the 
focus, use if-same where x is the if question and y is the 
entire focus. This copies the focus in the answer and else 

of the new if. 

(original-context 

(original-context 

(if Q 

(original-focus 

(original-focus 

(if Q A E))) 

(if Q A E)) 


(original-focus 


(if Q A £)))) 

Then use if-nest-A and 

if-nest-E to remove each if with the 

same question in the answer and else of the new if. 

(original-context 


(if Q 

(original-context 

(original-focus 

(if Q 

(if Q A E)) 

(original-focus A) 

(original-focus 

(original-focus E 

(if Q A £)))) 



Think It Over, and Over, and Over 


67 


















Indeed. It is often useful to move an if Good to know, 

question in this way. 


Insight: Pull Ifs Outward 

Use If Lifting when an if is found in an argument of a 
function application or in an if question. Lift the if outside 
any function applications and if questions. 


Now we can use memb?/rembO. 


(equal (if (equal xl '?) 

(memb? (remb '())) 

(memb? 

(cons xl (remb '())))) 


41 


Yes, we know that this focus is equal to 

'nil. 

(equal (if (equal xl '?) 

'nil 

(memb? 

(cons xl (remb '())))) 

'nil) 


What can we do with the if else? 


42 


Use memb?. 


(equal (if (equal xl '?) 

'nil 

(memb? 

(cons xl (remb '()))) 



(equal (if (equal xl '?) 

'nil 

(if (atom (cons xl (remb '()))) 

'nil 

(if (equal (car (cons xl (remb '()))) 

'?) 

't 

(memb? 

(cdr (cons xl (remb '())))))) 

'nil) 


But coLild we use remb instead, with a 
different focus? 


We could use remb on (remb '()). Do we As in frame 31, (remb '()) lets us use 
know anything interesting about memb?/rembO, if we can rewrite the 

(remb '())? expression to form (memb? (remb '())). 
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It is useful to recognize parts of existing That much seems clear, 
theorems. 


Insight: Keep Theorems in Mind 

Bear existing theorems in mind, especially axioms. When 
the current claim contains an expression that some theo¬ 
rem can rewrite, try using that theorem. When the current 
claim contains part of an expression that some theorem 
can rewrite, leave that part alone and try to rewrite the 
current claim in order to use the theorem. 


Exactly. Now let’s rewrite this focus. 


45 


This is not difficult. 


(equal (if (equal xl '?) 

'nil 

(if (atom (cons xl (remb '()))) 

'nil 

(if (equal (car (cons xl (remb '()))) 

'?) 

't 

(memb? 

(cdr (cons xl (remb '())))))) 

'nil) 


(equal (if (equal xl '?) 

'nil 


(if (equal (car (cons xl (remb '()))) 

'?) 

't 

(memb? 

(cdr (cons xl (remb '()))))) 


'nil) 


These two are easy. 


46 


We know car/cons and cdr/cons 


(equal (if (equal xl '?) 

'nil 

(if (equal (car (cons xl (remb '()))) 

'?) 

't 

(memb? 

(cdr (cons xl (remb '()))) 

'nil) 


(equal (if (equal xl '?) 

'nil 

(if (equal xl 

'?) 

't 

(memb? 

(remb '()) 

'nil) 


Think It Over, and Over, and Over 
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Does this focus and the orange if 
question suggest an axiom? 

47 

Yes, they suggest if-nest-E. 

(equal (if (equal xl '?) 

'nil 

(if (equal xl '?) 

't 

(memb? 

(remb '()))) 

'nil) 

(equal (if (equal xl '?) 

'nil 

(memb? 

(remb '())) 

'nil) 

How about this focus? 

48 

We use memb?/rembO again, and the 
proof is finished. 

(equal (if (equal xl '?) 

'nil 

(memb? 

(remb '())) 

'nil) 

(equal (if (equal xl ’?) 

'nil 

'nil) 

'nil) 

Is memb?/rembl a theorem? 

49 

Yes, we have proved it. 

What does the theorem memb?/rembl 
mean? 

50 

It means that remb removes ’? from a 
1-element list. 

How did we prove it? 

51 

By atom/cons, if-false, car/cons, cdr/cons, 
if-same, if-nest-A, if-nest-E, 
memb?/rembO, memb?, and remb. 

Is this remarkable? 

52 

Without a doubt. 
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Let’s prove memb?/remb2. 

(dethm memb?/remb2 (xl x2) 
(equal (memb? 

(remb 


53 


This is becoming familiar 


nil)) 


(cons x2 
(cons xl '())))) 


Use remb. 


54 

That’s simple enough. 


(equal (memb? 

(remb (cons x2 (cons xl 

'nil) 


())))) 


(equal (memb? 

(if (atom (cons x2 (cons xl '()))) 

'() 

(if (equal (car 

(cons x2 (cons xl '()))) 

'?) 

(remb 

(cdr (cons x2 (cons xl '())))) 
(cons 

(car (cons x2 (cons xl '()))) 
(remb 
(cdr 

(cons x2 (cons xl '()))))))) 

'nil) 


Do we know the if question 'nil. 

(atom (cons x2 (cons xl '())))? 


(equal (memb? 

(if (atom (cons x2 (cons xl '()))) 

'() 

(if (equal (car (cons x2 (cons xl '()))) 

'?) 

(remb 

(cdr (cons x2 (cons xl '())))) 
(cons 

(car (cons x2 (cons xl '()))) 
(remb 
(cdr 

(cons x2 (cons xl '()))))))) 

'nil) 


(equal (memb? 

(if (equal (car (cons x2 (cons xl '()))) 

'?) 

(remb 

(cdr (cons x2 (cons xl '())))) 
(cons 

(car (cons x2 (cons xl '()))) 
(remb 
(cdr 

(cons x2 (cons xl '())))))) 


Think It Over, and Over, and Over 
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Deal with the cars and cdrs. 

56 

Done. 

(equal (memb? 

(if (equal (car (cons x2 (cons xl '()))) 

'?) 

(remb 

(cdr (cons x2 (cons xl '()))) 

(cons 

(car (cons x2 (cons xl '()))) 

(remb 

(cdr 

(cons x2 (cons xl '()))) 

'nil) 

(equal (memb? 

(if (equal x2 

(remb (cons xl '()) 

(cons x2 

(remb (cons xl '()) 

'nil) 

In this case ... 

We use If Lifting! 

(equal (memb? 

(if (equal x2 '?) 

(remb (cons xl '())) 

(cons x2 

(remb (cons xl '()))))) 

'nil) 

(equal (if (equal x2 '?) 

(memb? 

(remb (cons xl '()))) 

(memb? 

(cons x2 

(remb (cons xl '()))))) 

'nil) 

Exactly. Which axioms do we use in 
frame 57? 

We use if-same, if-nest-A, and if-nest-E, 
as in frames 36-38. 

Are we experiencing deja vu? 

59 

Yes, we saw this expression in the 
theorem memb?/rembl. We can use 
memb?/rembl here. 

(equal (if (equal x2 '?) 

(memb? 

(remb (cons xl '()))) 

(memb? 

(cons x2 

(remb (cons xl '()))))) 

'nil) 

(equal (if (equal x2 '?) 

'nil 

(memb? 

(cons x2 

(remb (cons xl '()))))) 

'nil) 
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Let’s use memb?. Ready? 

And willing. 

(equal (if (equal x2 '?) 

'nil 

(memb? 

(cons x2 

(remb (cons xl '())))) 

'nil) 

(equal (if (equal x2 '?) 

'nil 

(if (atom 

(cons x2 

(remb (cons xl '())))) 

'nil 

(if (equal 
(car 

(cons x2 

(remb (cons xl '())))) 

'?) 

't 

(memb? 

(cdr 

(cons x2 

(remb (cons xl '()))))))) 

'nil) 

The next two steps are easy. 

61 

That’s music to our ears. 

(equal (if (equal x2 '?) 

'nil 

(if (atom 

(cons x2 

(remb (cons xl '())))) 

'nil 

(if (equal (car 

(cons x2 

(remb (cons xl '())))) 

'?) 

't 

(memb? 

(cdr 

(cons x2 

(remb (cons xl '()))))))) 

'nil) 

(equal (if (equal x2 '?) 

'nil 

(if (equal (car 

(cons x2 

(remb (cons xl '())))) 

'?) 

't 

(memb? 

(cdr 

(cons x2 

(remb (cons xl '())))))) 

'nil) 


Think It Over, and Over, and Over 
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So are these two steps. 

62 

Those steps sure are easy. 

(equal (if (equal x2 '?) 


(equal (if (equal x2 '?) 

'nil 


'nil 

(if (equal (car 


(if (equal x2 

(cons x2 


't 

(remb (cons xl '())))) 


(memb? 

'?) 


(remb (cons xl '())) 

't 

(memb? 


'nil) 

(cdr 



(cons x2 



(remb (cons xl '())))) 



'nil) 



Do we know (equal x2 '?) in this focus? 

63 

Yes, by if-nest-E. 

(equal (if (equal x2 '?) 


(equal (if (equal x2 '?) 

'nil 


'nil 

(if (equal x2 '?) 


(memb? (remb (cons xl '()))) 

't 

(memb? (remb (cons xl '())))) 


'nil) 

'nil) 



It’s deja vu all over again!t 

64 

It’s quite convenient that memb?/rembl 
is a theorem. 

(equal (if (equal x2 '?) 


(equal (if (equal x2 '?) 

'nil 


'nil 

(memb? (remb (cons xl '()))) 


'nil) 

'nil) 


'nil) 

Wogi Berra might have said so. 



Is memb?/remb2 a theorem? 

65 

Certainly. 

What does memb?/remb2 mean? 

66 

The same as memb?/rembO and 
memb?/rembl, but for 2-element lists. 

How does the proof of memb?/remb2 

67 

It uses the same steps in the same order, 

compare to the proof of memb?/rembl? 


but with slightly longer lists and using 
memb?/rembl instead of memb?/rembO. 
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Can we prove memb?/remb3? 

(dethm memb?/remb3 (xl x2 x3) 
(equal 


68 


(memb? 

(remb 


(cons x3 
(cons x2 


nil)) 


(cons xl '()))))) 


Sure 


just use the same approach and rely 
on memb?/remb2. 


Of course. 


69 


How many times must we do this? 


Until we reach the largest list. 


70 


That will take forever and ever 


It certainly will. 


And we are getting hungry! 


Take a short visit to J-Bob, first. The 
proofs about memb? and remb start on 
page 185. 


72 


Then something tasty? 


Why not take a break and have a steak 


73 


That is indeed a rare breakfast 


Think It Over, and Over, and Over 
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Are the proofs of memb?/rembO, It seems so. 

memb?/rembl, and memb?/remb2 
building toward a larger theorem? 


What should the theorem say? 


It should say that remb removes '? from 
any list. 


Going one element at a time isn’t This is just like listO?, listl?, and Iist2? in 

working well enough. chapter 4. 


How so? 


We start with the empty list and define a 
new function for each slightly longer list. 


How do those new functions work? 


They deal with one element, then call 
the previous function. 


How do we extend a function to work on The answer is recursion! 
lists of any length? 


We like simple answers. 


Can we use recursion in proofs? 


Yes, 

recursion in proofs is called induction 
and it’s a great idea. How do we think 
that would work? 


The same way as in functions. One case 
for the empty list and handle the rest via 
natural recursion. 


And what is the natural recursion? 


For a list xs, it is the same function call 
but with (cdr xs). 


Think It Through 
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Shall we try out this idea? 



We can’t wait! 


Try to prove memb?/remb. 


Here we go again. 


(dethm memb?/remb (xs) 

(equal (memb? (remb xs)) 'nil)) 


But only one more time. Here is the 
inductive claim we must prove for 

memb?/remb. 

(if (atom xs) 

(equal (memb? (remb xs)) 'nil) 

(if (equal (memb? (remb (cdr xs))) 'nil) 
(equal (memb? (remb xs)) 'nil) 

’t)) 

Which parts of the if answer and if else 
are identical? 


The parts that are exactly the same as 
the claim memb?/remb. 

(if (atom xs) 

(equal (memb? (remb xs)) 'nil) 

(if (equal (memb? (remb (cdr xs))) 'nil) 
(equal (memb? (remb xs)) 'nil) 

■t)) 


The first if answer states memb?/remb 
for empty lists, where xs is an atom. 
What about the other if answer? 

(if (atom xs) 

(equal (memb? (remb xs)) 'nil) 

(if (equal (memb? (remb (cdr xs))) 'nil) 
(equal (memb? (remb xs)) 'nil) 

’t)) 


This one states memb?/remb for 
non-empty lists, where xs has at least 
one cons. 

(if (atom xs) 

(equal (memb? (remb xs)) 'nil) 

(if (equal (memb? (remb (cdr xs))) 'nil) 

(equal (memb? (remb xs)) 'nil) 

■t)) 


The orange expression is not quite the 
same as memb?/remb. How is it 
different? 

(if (atom xs) 

(equal (memb? (remb xs)) 'nil) 

(if (equal (memb? (remb (cdr xs))) 'nil) 
(equal (memb? (remb xs)) 'nil) 

’t)) 


This expression has (cdr xs) where 
memb?/remb has xs. It looks like the 
natural recursion for our claim. 


78 


Chapter 6 









The (natural) recursion for a claim is 
called the inductive premise. What is it 
for? 

15 

We’re not sure. Once we use it, 
we’ll find out. 

perhaps 

How does our proof begin? 

16 

We use the definition of remb. 


(if (atom xs) 

(if (atom xs) 


(equal (memb? 

(equal (memb? 


(remb xs) 

(if (atom xs) 


'nil) 

'() 


(if (equal (memb? (remb (cdr xs))) 'nil) 

(if (equal (car xs) ’?) 


(equal (memb? (remb xs)) 'nil) 

(remb (cdr xs)) 


■t)) 

(cons (car xs) 

(remb (cdr xs))))) 

’nil) 



(if (equal (memb? (remb (cdr xs))) 1 
(equal (memb? (remb xs)) ’nil) 

■t)) 

nil) 


We know which way this if goes, based 
on the premise (atom xs). 

Yes, that nested if is obvious. 

(if (atom xs) 

(if (atom xs) 

(equal (memb? 

(equal (memb? 

(if (atom xs) 

'()) 

'() 

’nil) 

(if (equal (car xs) ’?) 

(if (equal (memb? (remb (cdr xs))) ’nil) 

(remb (cdr xs)) 

(equal (memb? (remb xs)) ’nil) 

(cons (car xs) 

■*)) 

(remb (cdr xs))))) 


’nil) 


(if (equal (memb? (remb (cdr xs))) ’nil) 


(equal (memb? (remb xs)) ’nil) 

■t)) 



Think It Through 
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Now? 

18 

Use memb?. Easy. 

(if (atom xs) 

(equal (memb? '()) 

'nil) 

(if (equal (memb? (remb (cdr xs))) 'nil) 

(equal (memb? (remb xs)) 'nil) 

(if (atom xs) 

(equal (if (atom '()) 

'nil 

(if (equal (car'()) '?) 

't 

(memb? (cdr '())))) 

'nil) 

(if (equal (memb? (remb (cdr xs))) 'nil) 

(equal (memb? (remb xs)) 'nil) 

Can we simplify this answer? 

19 

Yes, using atom, if-true, and equal-same. 

(if (atom xs) 

(equal (if (atom '()) 

'nil 

(if (equal (car'()) '?) 

't 

(memb? (cdr '())))) 

'nil) 

(if (equal (memb? (remb (cdr xs))) 'nil) 

(equal (memb? (remb xs)) 'nil) 

■t)) 

(if (atom xs) 

't 

(if (equal (memb? (remb (cdr xs))) 'nil) 

(equal (memb? (remb xs)) 'nil) 

■t)) 

Consider the case for non-empty lists. 

20 

We start by using remb. 

(if (atom xs) 

't 

(if (equal (memb? (remb (cdr xs))) 'nil) 

(equal (memb? 

(remb xs) 

'nil) 

■t)) 

(if (atom xs) 

't 

(if (equal (memb? (remb (cdr xs))) 'nil) 

(equal (memb? 

(if (atom xs) 

■o 

(if (equal (car xs) '?) 

(remb (cdr xs)) 

(cons (car xs) 

(remb (cdr xs))))) 

'nil) 

■t)) 


80 


Chapter 6 






Remember, xs is non-empty in this focus 
since it is in the if else of the premise 
(atom xs). 

21 

We can use if-nest-E. 

(if (atom xs) 

(if (atom xs) 

't 

't 

(if (equal (memb? (remb (cdr xs))) ’nil) 

(if (equal (memb? (remb (cdr xs))) 'nil) 

(equal (memb? 

(equal (memb? 

(if (atom xs) 

(if (equal (car xs) '?) 

’() 

(remb (cdr xs)) 

(if (equal (car xs) '?) 

(cons (car xs) 

(remb (cdr xs)) 

(remb (cdr xs)))) 

(cons (car xs) 

'nil) 

(remb (cdr xs))))) 

■nil) 

■t)) 

■*)) 


What do we do here? 

Like memb?/rembl and memb?/remb2 
we use If Lifting on (equal (car xs) '?). 

(if (atom xs) 

't 

(if (atom xs) 

't 

l 

(if (equal (memb? (remb (cdr xs))) 'nil) 

l 

(if (equal (memb? (remb (cdr xs))) 'nil) 

(equal (memb? 

(equal (if (equal (car xs) '?) 

(if (equal (car xs) '?) 

(memb? (remb (cdr xs))) 

(remb (cdr xs)) 

(memb? 

(cons (car xs) 

(cons (car xs) 

(remb (cdr xs))))) 

(remb (cdr xs))))) 

'nil) 

'nil) 

■t)) 

■t)) 


Here, this amounts to pushing memb? 
into the answer and else of an if. 


Think It Through 
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The inductive premise states that this 
focus is equal to 'nil. Can we do 
anything with it? 


(if (atom xs) 

't 

(if (equal (memb? (remb (cdr xs))) 'nil) 

(equal (if (equal (car xs) '?) 

(memb? (remb (cdr xs))) 

(memb? 

(cons (car xs) 

(remb (cdr xs))))) 

'nil) 

’t)) 


By equal-if, we are able to replace this 
focus with 'nil. 


(if (atom xs) 
't 


(if (equal (memb? (remb (cdr xs))) 'nil) 
(equal (if (equal (car xs) '?) 

'nil 

(memb? 

(cons (car xs) 

(remb (cdr xs))))) 




What next? 


24 

Perhaps we could use remb here. 


(if (atom xs) 
't 


(if (equal (memb? (remb (cdr xs))) 'nil) 
(equal (if (equal (car xs) '?) 

'nil 

(memb? 

(cons (car xs) 

(remb (cdr xs))))) 




What do we know about (remb (cdr xs))? According to the inductive premise, we 

know that (memb? (remb (cdr xs))) is 
equal to 'nil. But the inductive premise 
does not allow us to rewrite 
(remb (cdrxs)) itself. 


Just like with existing theorems, always We’ll remember that, 
keep the inductive premise in mind. 

Never rewrite the natural recursion in an 
inductive proof; keep it around until the 
inductive premise helps simplify it. 
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Insight: Don’t Touch Inductive Premises 

Do not try to simplify an inductive premise in an inductive 
proof directly. Instead, rewrite the expression around it 
until the inductive premise can be applied. Often, after ap¬ 
plying the inductive premise, an inductive proof is nearly 
done. 


Use memb? in this focus. 


27 


That’s easy. 


(if (atom xs) 

't 

(if (equal (memb? (remb (cdr xs))) 'nil) 
(equal (if (equal (car xs) '?) 

'nil 

(memb? 

(cons (car xs) 

(remb (cdr xs)))) 

'nil) 

■t)) 


(if (atom xs) 

't 

(if (equal (memb? (remb (cdr xs))) 'nil) 

(equal (if (equal (car xs) '?) 

'nil 

(if (atom (cons (car xs) 

(remb (cdr xs)))) 

'nil 

(if (equal (car 

(cons (car xs) 

(remb (cdr xs)))) 

'?) 

't 

(memb? 

(cdr 

(cons (car xs) 

(remb (cdr xs))))))) 


t)) 


nil) 


Think It Through 
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Next? 

(if (atom xs) 

't 

(if (equal (memb? (remb (edr xs))) 'nil) 

(equal (if (equal (car xs) '?) 

'nil 

(if (atom (cons (car xs) 

(remb (edr xs)))) 

'nil 

(if (equal (car 

(cons (car xs) 

(remb (edr xs)))) 

'?) 

't 

(memb? 

(edr 

(cons (car xs) 

(remb 

(edr xs))))))) 


28 


We can drop one if. 

(if (atom xs) 

't 

(if (equal (memb? (remb (edr xs))) 'nil) 
(equal (if (equal (car xs) '?) 

'nil 

(if (equal (car 

(cons (car xs) 
(remb (edr xs)))) 

'?) 

't 

(memb? 

(edr 

(cons (car xs) 

(remb 

(edr xs)))))) 

'nil) 

’t)) 


t)) 


nil) 


Here are two easy steps. 


29 


(if (atom xs) 

't 

(if (equal (memb? (remb (edr xs))) 'nil) 
(equal (if (equal (car xs) '?) 

'nil 

(if (equal (car 

(cons (car xs) 
(remb 

(edr xs)))) 

'?) 

't 

(memb? 

(edr 

(cons (car xs) 

(remb 

(edr xs)))) 

'nil) 

’t)) 


We can use car/cons and edr/cons in our 
sleep at this point. 

(if (atom xs) 

't 

(if (equal (memb? (remb (edr xs))) 'nil) 

(equal (if (equal (car xs) '?) 

'nil 

(if (equal (car xs) 

'?) 

't 

(memb? 

(remb 

(edr xs))))) 

'nil) 


- 
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Anything special about the if in this 
focus? 

30 

It is nested, of course. 

(if (atom xs) 

't 

(if (equal (memb? (remb (cdr xs))) 'nil) 

(equal (if (equal (car xs) '?) 

'nil 

(if (equal (car xs) '?) 

't 

(memb? 

(remb (cdr xs)))) 

'nil) 

(if (atom xs) 

't 

(if (equal (memb? (remb (cdr xs))) 'nil) 

(equal (if (equal (car xs) '?) 

'nil 

(memb? 

(remb (cdr xs))) 

'nil) 

’*)) 

What do we see in this focus? 

31 

Another chance to use the inductive 
premise. 

(if (atom xs) 

't 

(if (equal (memb? (remb (cdr xs))) 'nil) 

(equal (if (equal (car xs) '?) 

'nil 

(memb? (remb (cdr xs))) 

'nil) 

(if (atom xs) 

't 

(if (equal (memb? (remb (cdr xs))) 'nil) 

(equal (if (equal (car xs) '?) 

'nil 

'nil 

'nil) 

’t)) 

This is rather obvious. 

32 

Certainly. 

(if (atom xs) 

't 

(if (equal (memb? (remb (cdr xs))) 'nil) 

(equal (if (equal (car xs) '?) 

'nil 

'nil) 

'nil) 

■t)) 

(if (atom xs) 

't 

(if (equal (memb? (remb (cdr xs))) 'nil) 

't 

't)) 

And now the proof of memb?/remb is 
done. 

33 Q.E.D. 

Does the proof of memb?/remb look 
familiar? 

34 

Yes, it looks like the proofs we did for 

memb?/rembO, memb?/rembl, and 
memb?/remb2. 


Think It Through 
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Insight: Build Up to Induction Gradually 

Build up to a proof by induction over lists by proving 
theorems about the empty list, lists with one element, lists 
with two elements, and so on. Once the pattern of these 
proofs is clear, the proof by induction should be similar. 


Congratulations! We have learned how Can we use induction for other proofs? 

to prove a theorem with induction. 


Proof by List Induction 

To prove a claim C by induction over a list named x, prove 
(if (atom x) C (if C c dr C 't)) 
where C c d r is C with x replaced by (cdr x). 


Have we learned the answer to the No, but we have learned how to do 

ultimate question of life, the universe, induction, 

and everything yet?^ 

tThank you, Douglas Adams (1952-2001). 


Does that mean we know what the No, not completely. Perhaps, reading 

inductive premise is for? this chapter one more time would help? 


Perhaps. J-Bob can help with induction; Will do. 
the proof of memb?/remb starts on 
page 187. 


It is time for a hot fudge sundae. 


39 


Not exactly a breakfast of champions. 
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The function ctx? determines whether its 'nil, because there is no '? in '(). 
argument contains '?. What value is 
(ctx? '()) equal to? 


What value is (ctx? '(a (? ?) c)) equal 't, because there is a '? in '(a (? ?) c). 

to? 


(defun ctx? (x) 

(if (atom x) 

(equal x '?) 

(if (ctx? (car x)) 

't 

(ctx? (cdrx))))) 
measure: (size x) 


Using natp/size, we know that (size x) is 
a natural number. We can drop an if. 

(if (atom x) 

't 

(if (< (size (car x)) (size x)) 

(if (ctx? (car x)) 

't 

(< (size (cdr x)) (size x))) 

'())) 

Although ctx? may not be total, we can 
apply ctx? in its totality claim so long as 
we do not use its definition via the Law 
of Defun. 

^This totality claim is more complex than 
most others in this book. In chapter 8, we de¬ 
scribe the process of creating totality claims in 
detail. 


We can show that ctx? is total. Here is 
the claim we must proved 

(if (natp (size x)) 

(if (atom x) 

't 

(if (< (size (car x)) (size x)) 

(if (ctx? (car x)) 

't 

(< (size (cdrx)) (size x))) 

'())) 

'()) 


Define ctx?. 


Oh My, Stars! 
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What can we do with the size 
comparisons using this premise? 

(if (atom x) 

't 

(< (size (car x)) (size x)) 

(if (ctx? (car x)) 

't 

(< (size (cdr x)) (size x)) 

'())) 


We can use size/car on the first 
application of < and size/cdr on the 
second application of <. 

(if (atom x) 

't 

(if 't 

(if (ctx? (car x)) 

't 

’t) 

'())) 


And then? 


The proof is essentially done. 


Recall sub from frame 88 of chapter 4 


(defun sub (x y) 

(if (atom y) 

(if (equal y '?) 

x 

y) 

(cons (sub x (car y)) 
(sub x (cdr y))))) 


measure: (size y) ^ 

State the claim that if x and y contain '?, 
then so does (sub x y). 


(dethm ctx?/sub (x y) 
(if (ctx? x) 

(if (ctx? y) 


t)) 


(equal (ctx? (sub x y)) 't) 

t) 


Is ctx?/sub a theorem? 


We have to prove it to find out. Can we Maybe, 

use induction to prove it? but sub and ctx? are not quite like 

remb and memb?. 


How do they differ? The functions sub and ctx? perform 

natural recursion on the car, as well as 
the cdr. The functions remb and memb? 
only perform natural recursion on the 

cdr. 
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Proof by Star Induction 

To prove a claim C by induction over cars and cdrs of a 
variable named x, prove 

(if (atom x) C (if C car (if C cdr C 't) 't)) 

where C car is C with x replaced by (car x) and C cf j r is C with 
x replaced by (cdr x). 


Use our new kind of induction over y. 

(if (ctx? x) 

(if (ctx? y) 

(equal (ctx? (sub x y)) 't) 

’t) 

't) 


Wow, using induction enlarges the claim! 

(if (atom y) 

(if (ctx? x) 

(if (ctx? y) 

(equal (ctx? (sub x y)) 't) 

’t) 

’t) 

(if (if (ctx? x) 

(if (ctx? (car y)) 

(equal (ctx? (sub x (car y))) 't) 

't) 

’t) 

(if (if (ctx? x) 

(if (ctx? (cdr y)) 

(equal (ctx? (sub x (cdr y))) 't) 

■t) 

■t) 

(if (ctx? x) 

(if (ctx? y) 

(equal (ctx? (sub x y)) 't) 

■t) 

■t) 

■t) 

■t)) 


Oh My, Stars! 
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We now have an inductive premise for 
the car as well as the cdr. There are four 
versions of our original claim now, 
written in orange. One is the case where 
y is an atom, one is the case where y is a 
cons, and the other two are inductive 
premises. Can we make this claim 
smaller? 


Yes, we do so by using If Lifting on 
(ctx? x). We also use if-same thrice to 
simplify the final if else to 't. 


(if (atom y) 

(if (ctx? x) 

(if (ctx? y) 

(equal (ctx? (sub x y)) 't) 

’t) 

't) 

(if (if (ctx? x) 

(if (ctx? (car y)) 

(equal (ctx? (sub x (car y))) 't) 

■t) 

’t) 

(if (if (ctx? x) 

(if (ctx? (cdr y)) 

(equal (ctx? (sub x (cdr y))) 't) 

’t) 

’t) 

(if (ctx? x) 

(if (ctx? y) 

(equal (ctx? (sub x y)) 't) 

■t) 

■t) 

*t) 

■t)) 


(if (ctx? x) 

(if (atom y) 

(if (ctx? y) 

(equal (ctx? (sub x y)) 't) 

’t) 

(if (if (ctx? (car y)) 

(equal (ctx? (sub x (car y))) 't) 

't) 

(if (if (ctx? (cdr y)) 

(equal (ctx? (sub x (cdr y))) 't) 

■t) 

(if (ctx? y) 

(equal (ctx? (sub x y)) ’t) 

■t) 

■t) 

■t)) 

■t) 


Insight: Combine Ifs 

When there are multiple ifs with the same question, com¬ 
bine them into one if with If Lifting. Lift the ifs outside 
any function applications and if questions. 
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Next, use sub. 


12 


And if-nest-A using the premise (atom y). 


(if (ctx? x) 

(if (atom y) 

(if (ctx? y) 

(equal (ctx? (sub x y) 

■t) 

■t) 

(if (if (ctx? (car y)) 

(equal (ctx? (sub x (car y))) 't) 

■t) 

(if (if (ctx? (cdr y)) 

(equal (ctx? (sub x (cdr y))) 't) 

■t) 

(if (ctx? y) 

(equal (ctx? (sub x y)) 't) 

■t) 

■t) 

■t)) 

■t) 


(if (ctx? x) 

(if (atom y) 

(if (ctx? y) 

(equal (ctx? (if (equal y '?) 

x 

y)) 

'*) 

't) 

(if (if (ctx? (car y)) 

(equal (ctx? (sub x (car y))) 't) 

't) 

(if (if (ctx? (cdr y)) 

(equal (ctx? (sub x (cdr y))) 't) 

■t) 

(if (ctx? y) 

(equal (ctx? (sub x y)) 't) 

■t) 

■t) 

■t)) 

■t) 


Do we want to expand 
(ctx? (if (equal y '?) x y))? 

(if (ctx? x) 

(if (atom y) 

(if (ctx? y) 

(equal (ctx? (if (equal y '?) 

x 

y)) 

■t) 

■t) 

(if (if (ctx? (car y)) 

(equal (ctx? (sub x (car y))) 't) 

't) 

(if (if (ctx? (cdr y)) 

(equal (ctx? (sub x (cdr y))) 't) 

’t) 

(if (ctx? y) 

(equal (ctx? (sub x y)) 't) 

■t) 

■t) 

■t)) 

■t) 


No, we want to lift the if outside the 
applications of ctx? and equal. 

(if (ctx? x) 

(if (atom y) 

(if (ctx? y) 

(if (equal y '?) 

(equal (ctx? x) 't) 

(equal (ctx? y) 't)) 

’t) 

(if (if (ctx? (car y)) 

(equal (ctx? (sub x (car y))) 't) 

't) 

(if (if (ctx? (cdr y)) 

(equal (ctx? (sub x (cdr y))) 't) 

■t) 

(if (ctx? y) 

(equal (ctx? (sub x y)) 't) 

■t) 

■t) 

■t)) 

■t) 


Oh My, Stars! 
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If the premise (ctx? x) is true, can we That sounds right. Shouldn't we be able 

rewrite (ctx? x) to't in this if answer? to rewrite any premise to't if it is true? 

(if (ctx? x) 

(if (atom y) 

(if (ctx? y) 

(if (equal y '?) 

(equal (ctx? x) 't) 

(equal (ctx? y) 't)) 

■t) 

(if (if (ctx? (car y)) 

(equal (ctx? (sub x (car y))) 't) 

■t) 

(if (if (ctx? (cdr y)) 

(equal (ctx? (sub x (cdr y))) 't) 

■t) 

(if (ctx? y) 

(equal (ctx? (sub x y)) 't) 

't) 

't) 

’t)) 

't) 


Not necessarily, since if is total. Its That’s true, and also surprising, 

question might have a value other than 't 

or 'nil. 


So, can we rewrite (ctx? x) to 't when it We should be able to, since ctx? only 
is true? produces 't or 'nil. 


What theorem rewrites (ctx? x) to 't? 


We do not know of any. We must first 
prove that (ctx? x) is equal to 't. 


How many steps does that take? 


We don’t know. The function ctx? is 
recursive, so we may need to use 
induction again. 
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19 

In that case, let’s state a new claim that 
if (ctx? x) is true, it is equal to 't. i 

That is easy. 

(dethm ctx?/t (x) 

(if (ctx? x) 

(equal (ctx? x) 't) 

■t)) 




Insight: Create Helpers for Induction 

To rewrite the application of 

a recursive function, prove 

a separate theorem about the recursive function using 

induction. Do this if the current proof either does not 

use induction, or uses induction for a different kind of 

recursion from the function, or 

uses induction on different 

arguments from the application. 


20 

Can we use ctx?/t now? 

Yes, using these premises, if we prove 


ctx?/t eventually. 

(if (ctx? x) 

(if (ctx? x) 

(if (atom y) 

(if (atom y) 

(if (ctx? y) 

(if (ctx? y) 

(if (equal y '?) 

(if (equal y '?) 

(equal (ctx? x) t) 

(equal 't 't) 

(equal (ctx? y) 't)) 

(equal 't ’t)) 

’t) 

■t) 

(if (if (ctx? (car y)) 

(if (if (ctx? (car y)) 

(equal (ctx? (sub x (car y))) 't) 

(equal (ctx? (sub x (car y))) 't) 

’t) 

't) 

(if (if (ctx? (cdr y)) 

(if (if (ctx? (cdr y)) 

(equal (ctx? (sub x (cdr y))) 't) 

(equal (ctx? (sub x (cdr y))) 't) 

■t) 

■t) 

(if (ctx? y) 

(if (ctx? y) 

(equal (ctx? (sub x y)) 't) 

(equal (ctx? (sub x y)) 't) 

■t) 

■t) 

■t) 

■t) 

■t)) 


■0 

’t) 


Oh My, Stars! 
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What can we do with this focus? 

21 

We use equal-same and if-same to rewrite 
the entire focus to 't. 

(if (ctx? x) 

(if (atom y) 

(if (ctx? y) 

(if (equal y '?) 

(equal 't ’t) 

(equal 't 't)) 

't) 

(if (if (ctx? (car y)) 

(equal (ctx? (sub x (car y))) 't) 

't) 

(if (if (ctx? (cdr y)) 

(equal (ctx? (sub x (cdr y))) 't) 

■t) 

(if (ctx? y) 

(equal (ctx? (sub x y)) 't) 

■t) 

■t) 

't)) 

■t) 

(if (ctx? x) 

(if (atom y) 

't 

(if (if (ctx? (car y)) 

(equal (ctx? (sub x (car y))) 't) 

't) 

(if (if (ctx? (cdr y)) 

(equal (ctx? (sub x (cdr y))) 't) 

’t) 

(if (ctx? y) 

(equal (ctx? (sub x y)) 't) 

■t) 

■t) 

■t)) 

■t) 

Does ctx? / 1 need to be proved 
eventually? 

22 

Yes, it certainly does. 

Use sub and simplify the result. 

23 

Very well, we use if-nest-E and the 
premise (atom y). 

(if (ctx? x) 

(if (atom y) 

't 

(if (if (ctx? (car y)) 

(equal (ctx? (sub x (car y))) 't) 

■t) 

(if (if (ctx? (cdr y)) 

(equal (ctx? (sub x (cdr y))) 't) 

’t) 

(if (ctx? y) 

(equal (ctx (sub x y) 

’t) 

’t) 

’t) 

■t)) 

*t) 

(if (ctx? x) 

(if (atom y) 

't 

(if (if (ctx? (car y)) 

(equal (ctx? (sub x (car y))) 't) 

't) 

(if (if (ctx? (cdr y)) 

(equal (ctx? (sub x (cdr y))) ’t) 

■t) 

(if (ctx? y) 

(equal (ctx7 (cons (sub x (car y)) 

(sub x (cdr y))) 

■t) 

■t) 

■t) 

■t)) 

■t) 
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Now use ctx?. Again, simplify the result. 

24 

This time we use atom/cons, car/cons, 


cdr/cons, and if-false. 

(if (ctx? x) 

(if (ctx? x) 

(if (atom y) 

■t 

(if (atom y) 

■t 

L 

(if (if (ctx? (car y)) 

L 

(if (if (ctx? (car y)) 

(equal (ctx? (sub x (car y))) 't) 

(equal (ctx? (sub x (car y))) 't) 

■t) 

't) 

(if (if (ctx? (cdr y)) 

(if (if (ctx? (cdr y)) 

(equal (ctx? (sub x (cdr y))) 't) 

(equal (ctx? (sub x (cdr y))) 't) 

■t) 

■t) 

(if (ctx? y) 

(if (ctx? y) 

(equa’ (ctx? (cons (sub x (car y)) 

(equal (if (ctx? (sub x (car y))) 

(sub x (cdr y)))) 

't 

■t) 

(ctx? (sub x (cdr y)))) 

■t) 

■t) 

■t) 

■t) 

’t)) 

■t) 

■t) 

■t)) 


■t) 


Do we want to rewrite the applications 

No, they are each part of an inductive 

of ctx? written in orange? 

premise. We rewrite the if question 
above them, instead. 

(if (ctx? x) 

(if (ctx? x) 

(if (atom y) 

■t 

(if (atom y) 

't 

L 

(if (if (ctx? (car y)) 

L 

(if (if (ctx? (car y)) 

(equal (ctx? (sub x (car y))) 't) 

(equal (ctx? (sub x (car y))) 't) 

■t) 

't) 

(if (if (ctx? (cdr y)) 

(if (if (ctx? (cdr y)) 

(equal (ctx? (sub x (cdr y))) 't) 

(equal (ctx? (sub x (cdr y))) 't) 

’t) 

’t) 

(if (ctx? y) 

(if (if (ctx? (car y)) 

(equal (if (ctx? (sub x (car y))) 

't 

't 

(ctx? (cdr y))) 

(ctx? (sub x (cdr y))) 

(equal (if (ctx? (sub x (car y))) 

■t) 

't 

■t) 

(ctx? (sub x (cdr y)))) 

■t) 

■t) 

’»)) 

■t) 

■t) 

■t) 


’t)) 


't) 


Oh My, Stars! 
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26 


There are two ifs with the same question. Clearly, we should lift that if question. 

We also use if-true twice. 


(if (ctx? x) 

(if (atom y) 

't 

(if (if (ctx? (cary)) 

(equal (ctx? (sub x (car y))) 't) 

■t) 

(if (if (ctx? (cdr y)) 

(equal (ctx? (sub x (cdr y))) 't) 

’t) 

(if (if (ctx? (cary)) 

't 

(ctx? (cdr y))) 

(equal (if (ctx? (sub x (car y))) 

't 

(ctx? (sub x (cdr y)))) 

■t) 

■t) 

■t) 

■t)) 

■t) 


(if (ctx? x) 

(if (atom y) 

't 

(if (ctx? (car y)) 

(if (equal (ctx? (sub x (car y))) 't) 

(if (if (ctx? (cdr y)) 

(equal (ctx? (sub x (cdr y))) 't) 

■t) 

(equal (if (ctx? (sub x (car y))) 

't 

(ctx? (sub x (cdr y)))) 

■t) 

■t) 

■t) 

(if (if (ctx? (cdr y)) 

(equal (ctx? (sub x (cdr y))) 't) 

’t) 

(if (ctx? (cdr y)) 

(equal (if (ctx? (sub x (car y))) 

't 

(ctx? (sub x (cdr y)))) 

■t) 

■t) 

■t))) 

■t) 
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Now we can use an inductive premise. 

27 

And rewrite another if answer to 't. 

(if (ctx? x) 

(if (ctx? x) 

(if (atom y) 

(if (atom y) 

't 

't 

(if (ctx? (car y)) 

(if (ctx? (car y)) 

(if (equal (ctx? (sub x (car y))) 't) 

't 

(if (if (ctx? (cdr y)) 

(if (if (ctx? (cdr y)) 

(equal (ctx? (sub x (cdr y))) 't) 

(equal (ctx? (sub x (cdr y))) 't) 

’t) 

’t) 

(equal (if (ctx? (sub x (car y))) 

(if (ctx? (cdr y)) 

't 

(equal (if (ctx? (sub x (car y))) 

(ctx? (sub x (cdr y)))) 

't 

■t) 

(ctx? (sub x (cdr y)))) 

■t) 

’t) 

■t) 

't) 

(if (if (ctx? (cdr y)) 

't))) 

(equal (ctx? (sub x (cdr y))) 't) 

't) 

't) 


(if (ctx? (cdr y)) 


(equal (if (ctx? (sub x (car y))) 

't 


L 

(ctx? (sub x (cdr y)))) 




■t) 


■t))) 


■t) 


Once again, there are two ifs with the 

Time for If Lifting followed by if-same. 

same question. 


(if (ctx? x) 

(if (ctx? x) 

(if (atom y) 

(if (atom y) 

't 

't 

(if (ctx? (car y)) 

(if (ctx? (car y)) 

't 

't 

(if (if (ctx? (cdr y)) 

(if (ctx? (cdr y)) 

(equal (ctx? (sub x (cdr y))) 't) 

(if (equal (ctx? (sub x (cdr y))) 't) 

’t) 

(equal (if (ctx? (sub x (car y))) 

(if (ctx? (cdr y)) 

't 

(equal (if (ctx? (sub x (car y))) 

(ctx? (sub x (cdr y)))) 

't 

■t) 

(ctx? (sub x (cdr y)))) 

■t) 

’t) 

■t))) 

’t) 

■t) 

't))) 


't) 
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We can use the other inductive premise. 

And the rest is quite easily done. 

(if (ctx? x) 

(if (atom y) 

't 

(if (ctx? (car y)) 

't 

(if (ctx? (cdr y)) 

(if (equal (ctx? (sub x (cdr y))) 't) 

(equal (if (ctx? (sub x (car y))) 

't 

(ctx? (sub x (cdry)))) 

■t) 

■t) 

■t))) 

■t) 

't 

Not quite! 

30 

That’s right, 

we must still prove ctx?/t from 
frame 20. 

Here is the claim of ctx?/t. Does this 
claim need induction? 

(if (ctx? x) 

(equal (ctx? x) 't) 

■t) 

31 O 

Yes, because ctx? uses recursion over 
stars. 

(if (atom x) 

(if (ctx? x) 

(equal (ctx? x) 't) 

’t) 

(if (if (ctx? (car x)) 

(equal (ctx? (car x)) 't) 

't) 

(if (if (ctx? (cdr x)) 

(equal (ctx? (cdrx)) 't) 

't) 

(if (ctx? x) 

(equal (ctx? x) 't) 

■t) 

■t) 

■t)) 
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Use ctx? on these two focuses. 

32 

We then use the premise (atom x) and 
if-nest-A to drop the two resulting ifs. 

(if (atom x) 

(if (ctx? x) 

(equal (ctx? x) 't) 

’t) 

(if (if (ctx? (carx)) 

(equal (ctx? (carx)) 't) 

*t) 

(if (if (ctx? (cdr x)) 

(equal (ctx? (cdr x)) 't) 

't) 

(if (ctx? x) 

(equal (ctx? x) ’t) 

■t) 

■t) 

■t)) 

(if (atom x) 

(equal x '?) 

(equal (equal x '?) 't) 

■t) 

(if (if (ctx? (car x)) 

(equal (ctx? (car x)) *t) 

't) 

(if (if (ctx? (cdr x)) 

(equal (ctx? (cdrx)) 't) 

't) 

(if (ctx? x) 

(equal (ctx? x) 't) 

■t) 

■t) 

■*)) 

Is this step obvious? 

Yes, indeed. 

(if (atom x) 

(if (equal x '?) 

(equal (equal xt ) ’t) 

't) 

(if (if (ctx? (car x)) 

(equal (ctx? (car x)) 't) 

't) 

(if (if (ctx? (cdr x)) 

(equal (ctx? (cdr x)) 't) 

't) 

(if (ctx? x) 

(equal (ctx? x) 't) 

■t) 

■t) 

■t)) 

(if (atom x) 

(if (equal x '?) 

(equal (equal '? ) 't) 

■t) 

(if (if (ctx? (car x)) 

(equal (ctx? (car x)) 't) 

't) 

(if (if (ctx? (cdrx)) 

(equal (ctx? (cdrx)) 't) 

■t) 

(if (ctx? x) 

(equal (ctx? x) 't) 

■t) 

■t) 

■t)) 

tHello, there! This is the focus. 
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And this step? 


(if (atom x) 

(if (equal x '?) 

(equal (equal '? '?) 't) 

’t) 

(if (if (ctx? (car x)) 

(equal (ctx? (carx)) 't) 

't) 

(if (if (ctx? (cdrx)) 

(equal (ctx? (cdr x)) 't) 

't) 

(if (ctx? x) 

(equal (ctx? x) 't) 

■t) 

] t) 


This is actually three steps: equal-same, 
equal-same, and if-same. 

(if (atom x) 

't 

(if (if (ctx? (car x)) 

(equal (ctx? (car x)) 't) 

't) 

(if (if (ctx? (cdrx)) 

(equal (ctx? (cdrx)) 't) 

't) 

(if (ctx? x) 

(equal (ctx? x) 't) 

't) 

't) 

’t)) 


Now use ctx?, if-nest-E, and the premise Very well, 
written in orange in both focuses. 


(if (atom x) 

't 

(if (if (ctx? (car x)) 

(equal (ctx? (carx)) 't) 

■t) 

(if (if (ctx? (cdr x)) 

(equal (ctx? (cdr x)) 't) 

't) 

(if (ctx? x) 

(equal (ctx? x) 't) 

■t) 

■t) 

■t)) 


(if (atom x) 

't 

(if (if (ctx? (car x)) 

(equal (ctx? (car x)) 't) 

't) 

(if (if (ctx? (cdrx)) 

(equal (ctx? (cdrx)) 't) 

'*) 

(if (if (ctx? (carx)) 

't 

(ctx? (cdrx))) 

(equal (if (ctx? (carx)) 

't 


(ctx? (cdr x))) 

■0 

■t) 

■t) 

■t)) 
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What do these three its have in common? All three its have the question 


(if (atom x) 

't 

(if (if (ctx? (car x)) 

(equal (ctx? (car x)) 't) 

’t) 

(if (if (ctx? (cdrx)) 

(equal (ctx? (cdr x)) 't) 

■t) 

(if (if (ctx? (car x)) 

't 

(ctx? (cdr x))) 

(equal (if (ctx? (car x)) 

't 

(ctx? (cdr x))) 

■t) 

■t) 

■t) 

■t)) 

(ctx? (car x)), so we use If Lifting. We 
also use if-true once where the premise in 
orange is false, and we use equal-same 
and if-true at the second orange 
expression. 

(if (atom x) 

't 

(if (ctx? (car x)) 

(if (equal (ctx? (car x)) 't) 

(if (if (ctx? (cdrx)) 

(equal (ctx? (cdr x)) 't) 

■t) 

■t 

■t) 

■t) 

(if (if (ctx? (cdr x)) 

(equal (ctx? (cdr x)) 't) 

’t) 

(if (ctx? (cdrx)) 

(equal (ctx? (cdr x)) 't) 

■t) 

■»))) 

Is this step obvious? 

37 

Yes, if we remember to use if-same twice. 

(if (atom x) 

't 

(if (ctx? (car x)) 

(if (equal (ctx? (car x)) 't) 

(if (if (ctx? (cdr x)) 

(equal (ctx? (cdr x)) 't) 

’t) 

't 

't) 

't) 

(if (if (ctx? (cdrx)) 

(equal (ctx? (cdrx)) 't) 

't) 

(if (ctx? (cdrx)) 

(equal (ctx? (cdr x)) 't) 

■t) 

■t))) 

(if (atom x) 

't 

(if (ctx? (car x)) 

't 

(if (if (ctx? (cdr x)) 

(equal (ctx? (cdrx)) 't) 

■t) 

(if (ctx? (cdrx)) 

(equal (ctx? (cdrx)) 't) 

■t) 

■t))) 
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What do these two its have in common? 

38 

They have the question (ctx? (cdr x)) in 
common, so we use If Lifting. We also 
simplify the final if else using if-same. 

(if (atom x) 

't 

(if (ctx? (car x)) 

't 

(if (if (ctx? (cdrx)) 

(equal (ctx? (cdr x)) 't) 

't) 

(if (ctx? (cdrx)) 

(equal (ctx? (cdr x)) 't) 

■t) 

■t))) 

(if (atom x) 

't 

(if (ctx? (car x)) 

't 

(if (ctx? (cdr x)) 

(if (equal (ctx? (cdr x)) 't) 

(equal (ctx? (cdr x)) 't) 

■t) 

■t))) 

And now? 

39 

We use the inductive premise to rewrite 
(ctx? (cdr x)), and use equal-same to 
rewrite this focus to 't. 

(if (atom x) 

't 

(if (ctx? (car x)) 

't 

(if (ctx? (cdrx)) 

(if (equal (ctx? (cdr x)) 't) 

(equal (ctx? (cdr x)) 't) 

4) 

't))) 

(if (atom x) 

't 

(if (ctx? (car x)) 

't 

(if (ctx? (cdr x)) 

(if (equal (ctx? (cdr x)) 't) 

't 

't) 

't))) 

What next? 

40 

We are done proving ctx?/t and ctx?/sub. 

Maybe try out Star Induction with 
J-Bob. The full proofs are on page 188. 

41 

We might try it out. 
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Familiar with this function? It is straightforward with member?. 


(defun member? (x ys) 


(defun set? (xs) 

(if (atom ys) 


(if (atom xs) 

'nil 


't 

(if (equal x (car ys)) 

't 


(if (member? (car xs) (cdrxs)) 

| -1 

L 

(member? x (cdr ys))))) 


nil 

(set? (cdr xs))))) 

measure: (size ys) 


measure: (size xs) 


Define set? that takes a list of atoms and 
has the value 't if there are no duplicates 
in the list and otherwise has the value 


Here is the claim that we need to prove 
to show that member? is total. 

(if (natp (size ys)) 

(if (atom ys) 

't 

(if (equal x (car ys)) 

't 

(< (size (cdrys)) (size ys)))) 

'nil) 


As usual, we drop off the outer if using 
natp/size and if-true. 

(if (atom ys) 

't 

(if (equal x (car ys)) 

't 

(< (size (cdrys)) (size ys)))) 


Then we use size/cdr and the premise 

ys). 

(if (atom ys) 

't 

(if (equal x (car ys)) 

't 

(< (size (cdrys)) (size ys)) 



That’s familiar, too. 

(if (atom ys) 

't 

(if (equal x (car ys)) 
't 

■t)) 


And then we are done. 


By if-same twice. 


(if (atom ys) 't 

't 

(if (equal x (car ys)) 

't 

’t)) 
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Now for the claim that set? is total. The 
proof uses the identical sequence of six 
steps as that of member?. How do the 
totality proofs of set? and member? 
differ? 

(if (natp (size xs)) 

(if (atom xs) 

't 

(if (member? (car xs) (cdr xs)) 

't 

(< (size (cdr xs)) (size xs)))) 

'nil) 


No, because we do not know what 

add-atoms is. 


No, we don’t yet know whether 
add-atoms is total. 


What do we need to know to determine We need to know its totality claim, 
whether add-atoms is total? 

9 

Good point. Does add-atoms have a We do not know, 

totality claim? 


Here is the definition of add-atoms. Can 
we prove a claim about atoms now? 



Here is the definition of atoms. Can we 
state and prove a claim about it? 

(defun atoms (x) 

(add-atoms x '())) 


The expression (equal x (car ys)) is 
replaced by (member? (car xs) (cdrxs)), 
but neither proof cares about that if 
question. 

Q.E.D. 

't 
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What does a totality claim tell us about A totality claim tells us that the 
a function? function’s measure decreases on every 

recursive call. 


Exactly. Can we state add-atoms ’s claim? 


Perhaps. 


What is add-atoms ’s measure? 


Its measure is (size x) 


Does add-atoms have a recursive 
application? 


Yes, 

(add-atoms (car x) 
(add-atoms (cdrx) ys)) 


We must state that the measure (size x) 
decreases for 

(add-atoms (car x) 

(add-atoms (cdrx) ys)). 

What does it mean for the measure to 
decrease for this recursive application? 


14 


We are not sure 


How would we use the Law of Defun for 
the recursive application 

(add-atoms (car x) 

(add-atoms (cdrx) ys))? 


By replacing x with (car x) and ys with 
(add-atoms (cdr x) ys) in the body of 
add-atoms. 


Let’s do the same for the measure of 

add-atoms. 


As in, replace x with (car x) and ys with 
(add-atoms (cdr x) ys) in (size x)? 


Correct. 


17 


The result is (size (car x)). 
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Perhaps it means that the measure for 
this recursive application is less than the 
measure for add-atoms. 

is (size (cdr x)). What does it mean for 
the measure to decrease for this recursive 
application? 


Exactly. The measure for the recursive 
application 

(add-atoms (car x) 

(add-atoms (cdr x) ys)) 


How do we state that claim as an 
expression? 


Here is the expression: 

(< (size (car x)) (size x)). Is this 
add-atoms’s totality claim? 


No, not yet. We still have one recursive Yes, the second argument of the first 
application left. recursive application in add-atoms is also 

recursive: (add-atoms (cdr x) ys). 


What is the measure for the remaining By replacing x with (cdr x) and ys with 

recursive application from add-atoms? ys in (size x), we get (size (cdr x)). 


What next? 


Next, we state the claim that the 
measure decreases for the remaining 
recursive application: 

(< (size (cdrx)) (size x)). 


Yes. We have separate statements for 
each recursive application in add-atoms 
that the measure must decrease. State 
that both claims must be true. 


That’s easy. 

(if (< (size (car x)) (size x)) 

(< (size (cdrx)) (size x)) 

■nil) 

Is this add-atoms’s totality claim? 
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No, that is still not the complete totality 
claim. Are we sure the expression in 
frame 23 states that both 
(< (size (car x)) (size x)) and 
(< (size (cdr x)) (size x)) must be true? 


24 


Of course 


Conjunction 

The conjunction of expressions e 1 ... e n states that each of 
e,, ..., e must be true. 

1 / / n 

The conjunction of zero expressions is 't. 

The conjunction of one expression e x is e 1 . 

The conjunction of e 1 and e 2 is e x if e 2 is 't, it is e 2 if e x is 
't, and otherwise it is (if e 1 e 2 'nil). 

The conjunction of three or more expressions e 1 e 2 ... e n is 
the conjunction of e x and the conjunction of e 2 ... e . 


What does the claim in frame 23 state? It states that the measure of add-atoms 

must decrease for the function’s two 
recursive applications. 


When does add-atoms call itself When x is not an atom, 

recursively? 


That’s right. For add-atoms to be total, What about the case where x is an atom? 
we only need to prove the claim in 
frame 23 in the case where x is not an 
atom. Restate the claim to say so. 
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There are no recursive applications in 
add-atoms when x is an atom, so there’s 
nothing we need to prove. 


28 


In that case, here is the new claim. 

(if (atom x) 

't 

(if (< (size (car x)) (size x)) 

(< (size (cdr x)) (size x)) 

'nil)) 

This is the totality claim for add-atoms, 
isn’t it? 

Unfortunately not. But we are almost Good. What’s next? 

finished. 


We have stated that the measure for At most (size x), surely, 

add-atoms must decrease when it makes 
recursive calls. How many times can it 
decrease? 


What prevents the measure from 
decreasing more than (size x) times? 

(if (< (size (car x)) (size x)) 
(< (size (cdrx)) (size x)) 
'nil)) 

'nil) 



112 


Chapter 8 







Constructing Totality Claims 

Given a function (defun name (x 1 ... x n ) body) and a measure 
m, construct a claim for subexpressions in body : 

For variables and quoted literals, use 't. 

For (if Q A E) where the claims for Q, A, and E are c , c a , 
and c e , if c a and c e are the same use the conjunction of c 
and c a , otherwise use the conjunction of c and (if Q c a c e ). 

For any other expression E, consider each recursive appli¬ 
cation (name e 1 ... e n ) in E. Construct the measure m r of 
the recursive application by substituting e 1 for x 1 , ..., e n 
for x n in m. The claim for E is the conjunction of (< m r m) 
for every recursive application in E. 

The totality claim for name is the conjunction of (natp m) 
and the claim for body. 


And that is the totality claim for Finally, 

add-atoms. 


We can prove the totality claim for 

add-atoms. 

(if (natp (size x)) 

(if (atom x) 

't 

(if (< (size (car x)) (size x)) 

(< (size (cdr x)) (size x)) 

■nil)) 

'nil) 


Easily done. 

't 

Can we prove something about 
add-atoms now? 


First let’s take a break. We can walk Or perhaps it is just time for a 

through this totality proof with J-Bob on mid-morning snack, 
page 192, and find out how J-Bob 
constructs totality claims in Appendix C. 
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Now that we know add-atoms and atoms No, we do not understand the definition 
are total, can we state and prove a claim of add-atoms, 
about either of them? 


Given a value as its first argument and a '(bcdae). 

list of unique atoms as its second 

argument, add-atoms adds all of the 

atoms from the first argument to the 

second argument, except those that are 

already in the list. What value is 

(add-atoms '(a . (b . (c . a))) '(d a e))t 

equal to? 

^The notation (x . y) inside a quoted literal 
represents the result of (cons 'x 'y)- Normally, we 
only use cons when its second argument is a list. 

In this chapter and in chapter 10, however, we 
ignore this restriction in order to write simpler 
functions and proofs. 


What value is '(bed a e). 

(add-atoms '((a . b) - (c . a)) '(d a e)) 
equal to? 


What value is '(d a e). 

(add-atoms 'a '(d a e)) 
equal to? 


5 

What value is '(b d a e). 

(add-atoms 'b '(d a e)) 
equal to? 


What value is '(bed a e). 

(atoms '(((a . b) . (c . a)) . (d . (a . e)))) 
equal to? 
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We can now state a claim about atoms. 

(dethm set?/atoms (a) 

(equal (set? (atoms a)) 't)) 


Let’s try to prove it. 


What do we do with this focus? We start by using atoms. 

(equal (set (atoms a)) 't) (equal (set? (add-atoms a '())) 't) 


What now? 


The function add-atoms treats a as either 
an atom or as nested cons pairs. So, we 
can use Star Induction. 


In order to use induction, let’s create a 
separate theorem about add-atoms. 



Certainly. 


(dethm set?/add-atoms (a) 

(equal (set? (add-atoms a '())) ’t)) 


What is the inductive claim we must Here it is. 

prove? 

(equal (set? (add-atoms a '())) 't) (if (atom a) 

(equal (set? (add-atoms a '())) 't) 

(if (equal (set? (add-atoms (car a) '())) 't) 

(if (equal (set? (add-atoms (cdra) '())) 't) 
(equal (set? (add-atoms a '())) 't) 

’t) 

’t)) 
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Let’s use add-atoms on a and '(). Do the 
recursive applications correspond to our 
inductive premises? 

12 

No, they do not; the inductive premise 
for (car a) and the recursive application 
for (car a) do not match. In the inductive 
premise, the second argument is 
(add-atoms (cdr a) '()). In the recursive 
application, the second argument is '(). 

(if (atom a) 

(equal (set? (add-atoms a '())) 't) 

(if (equal (set? (add-atoms (car a) '())) 't) 

(if (equal (set? (add-atoms (cdra) '())) 't) 
(equal (set? 

(add-atoms a '()) 

’t) 

't) 

■t)) 

(if (atom a) 

(equal (set? (add-atoms a '())) 't) 

(if (equal (set? (add-atoms (car a) '())) 't) 

(if (equal (set? (add-atoms (cdr a) '())) 't) 
(equal (set? 

(if (atom a) 

(if (member? a '()) 

'() 

(cons a '())) 

(add-atoms (car a) 

(add-atoms (cdra) '()))) 

■t) 

■t) 

■t)) 

Star Induction is not helping us in this 
proof. We need inductive premises that 
match the recursion in our functions. 

13 

We only know List Induction and Star 
Induction, and neither of them look like 
the recursion in add-atoms. 

Does add-atoms use natural recursion? 

14 

Yes, for only one argument. The 
argument x is replaced by (car x) and 
(cdr x) in the recursive applications. The 
argument ys, however, stays ys in one 
recursive application and becomes 
(add-atoms (cdr x) ys) in the other. 

Why isn’t 

(add-atoms (car x) 

(add-atoms (cdrx) ys)) 

In a natural recursion, every argument 
must stay the same or be a structural 
part of the given one. The argument 
(add-atoms (cdr x) ys) is neither the 

a natural recursion? 

same as ys, nor a part of ys. If add-atoms 
does not use natural recursion, can we 
prove set?/atoms by induction? 
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Induction uses inductive premises, which 
are natural recursions for proofs. 
Without natural recursion, our proof 
does not have the right inductive 
premises. We are stuck. 


Is there hope? 


Yes, but we need to find a kind of 
induction that matches the recursion in 
add-atoms. 


17 


Is there a kind of induction like that? 


We can create a new kind of induction. 
Given any total, recursive function, we 
can always state inductive claims based 
on the recursion in the function. 


That’s surprising. Does that mean we 
can create a whole new kind of induction 
just for add-atoms? 


Absolutely. To begin, we need to state a 
claim in terms of add-atoms that we want 
to use our new kind of induction on. 


How about the claim in frame 11? 

(equal (set? (add-atoms a '())) 't) 


That’s a start, but in order for induction 
to substitute the correct inductive 
premises, we need the arguments of 
add-atoms to be variables. Can we state 
a more general claim where the 
arguments are both variables? 


20 


We certainly can. 

(equal (set? (add-atoms a bs)) 't) 


Is that claim true? 


21 


No, (equal (set? (add-atoms 'a '(b b))) 't) 

is a counterexample. 


What must be true of bs for the claim to 
hold? 


22 


If bs is a list with no duplicates, then 
(add-atoms a bs) is also a list with no 
duplicates. 
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Can we state that claim? 


23 


Certainly. 



Now how does induction for add-atoms 
work? 


What must the inductive claim for Good question. We do not know. 

set?/add-atoms state? 


The inductive claim for set?/add-atoms 
must state that in the cases where 
add-atoms does not call itself, 
set?/add-atoms is true, and in the cases 
where add-atoms does call itself, 
set?/add-atoms is true of the original 
arguments if it is also true of the 
arguments to the recursive applications. 


25 


How do we state that? 


In what case is add-atoms non-recursive? 


26 


When x is an atom, add-atoms is 


non-recursive. 


In that case, we must state that 
set?/add-atoms is true. 


27 


In other words, we must state 

(if (set? bs) 

(equal (set? (add-atoms a bs)) 't) 

■t). 

That’s easy so far. 


Precisely. What case remains? 


28 


The case where x is not an atom. 
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In that case, we must also state that 
set?/add-atoms is true. 


29 


Can inductive claims really be this 
simple? 

(if (set? bs) 

(equal (set? (add-atoms a bs)) 't) 

■t) 


Not quite. We must still address 
recursive applications in add-atoms. 
What is the first recursive application? 


30 


(add-atoms (car x) 
(add-atoms (cdr x) ys)) 


We must state that set?/add-atoms holds 
for the arguments of this recursive 
application. 


31 


In other words, replace x with (car x) 
and ys with (add-atoms (cdr x) ys) in 
set?/add-atoms. 


Almost. In set?/add-atoms, do x and ys 
appear? 


32 


No, they do not. 


An inductive claim does not necessarily 
use the same variables as the recursive 
function it is based on. Recall that in 
frame 20 we do choose to use variables as 
the arguments to add-atoms in 
set?/add-atoms. What variables do we 
use? 


33 


We use a and bs 


What is the first recursive application in 
add-atoms, if we use a and bs instead of x 
and ys? 


34 


(add-atoms (car a) 
(add-atoms (cdr a) bs)) 


How do we state that set?/add-atoms 
holds for the arguments of this recursive 
application? 


35 


We replace a with (car a) and bs with 
(add-atoms (cdr a) bs) in set?/add-atoms 
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Very good. What is the result? 

36 

(if (set? (add-atoms (cdr a) bs)) 

(equal (set? (add-atoms (car a) 

(add-atoms (cdr a) bs))) 

■t) 

■t) 


What next? 

The recursive application 
(add-atoms (cdr a) bs) remains. 

37 

Presumably, we must replace a with 
(car a) and bs with bs in set?/add-atoms. 

That presumption is correct, indeed. 

38 

(if (set? bs) 

(equal (set? (add-atoms (cdr a) bs)) 

■t) 

■t) 

What is this expression for? 

The expressions in frames 36 and 38 are 
the inductive premises for the inductive 
claim of set?/add-atoms. 

39 

Interesting. 


Inductive Premises 

Given a claim c, a recursive application ( name e x ... e n ), 
and variables x 1 ... x n , the inductive premise for this ap¬ 
plication is c where x 1 is e 19 ..., x n is e n . 
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(if (if (set? (add-atoms (cdr a) bs)) 

(equal (set? (add-atoms (car a) 

(add-atoms (cdr a) bs))) 

■t) 

■t) 

(if (if (set? bs) 

(equal (set? (add-atoms (cdr a) bs)) 

■t) 

■t) 

(if (set? bs) 

(equal (set? (add-atoms a bs)) 

■t) 

■t) 

■t) 

■t). 


Are we sure that this expression states Indubitably, 

that if the inductive premises in 
frames 36 and 38 are true, then 
set?/add-atoms must be true as well? 


Implication 

An implication states that some premises imply a conclu¬ 
sion. In other words, when the premises e 1 ... e n are true, 
the conclusion e 0 must be true as well. 

For zero premises, the implication is e 0 . 

For one premise e l5 the implication is (if e x e 0 't). 

For two or more premises e 1 e 2 ... e n , state that e 1 implies 
that the conjunction of the premises e 2 ... e n imply the 
conclusion e 0 . 


Next, state that if both inductive 
premises are true, set?/add-atoms must 
be true. 
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In frames 27 and 40, we state claims 
about set?/add-atoms for the cases where 
a is an atom and where a is not an atom. 


42 


What is left to do? 


Put the two cases together, of course. 


We can certainly do that: 


(if (atom a) 

(if (set? bs) 

(equal (set? (add-atoms a bs)) 't) 

■t) 

(if (if (set? (add-atoms (cdr a) bs)) 

(equal (set? (add-atoms (car a) 

(add-atoms (cdr a) bs))) 

■t) 

■t) 

(if (if (set? bs) 

(equal (set? (add-atoms (cdr a) bs)) 

■t) 

■t) 

(if (set? bs) 

(equal (set? (add-atoms a bs)) ’t) 

■t) 
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Defun Induction 

Given a claim c, a function (defun namef (x 1 ... x n ) bodt/j), 
and a choice of variables y 1 ... y n , we construct a claim for 
subexpressions of body where body.^ is bodyj with x 1 replaced 
by y, , . . . , and x n replaced by y n : 

For (if Q A E) where the claims for A and E are c a and c e , 
state that the inductive premises of Q imply c oe , where c ae 
is c a if c a is equal to c e , and (if Q c a c e ) otherwise. 

For any other expression F, state that the inductive 
premises of E imply c. 

The inductive claim of c is the claim for body, L . 


That is the inductive claim for There is nothing to it! 

set?/add-atoms, using induction based on 
the definition of add-atoms. 


Really? 


45 


No, not really. 


We have stated the claim to prove Impressive! How does this differ from 

set?/add-atoms by Defun Induction using List Induction or Star Induction? 

add-atoms. 


Actually, these forms of induction do not What functions are those? 

differ. List Induction and Star Induction 

are each based on Defun Induction. We 

define a function for each that produces 

the appropriate inductive premises. 


124 


Chapter 9 









48 

We use list-induction for List Induction. How about Star Induction? 

(defun list-induction (x) 

(if (atom x) 

'() 

(cons (car x) 

(list-induction (cdrx))))) 

measure: (size x) 


We use star-induction, of course. Are there other function definitions we 

- should use for common forms of 

(defun star-induction (x) induction? 

(if (atom x) 
x 

(cons (star-induction (car x)) 

(star-induction (cdrx))))) 

measure: (size x) 


None come to mind, but they have a way Does Defun Induction work for every 

of popping up when we least expect function we write? 

them. 


The ways that we construct inductive Which functions are those? 

claims and totality claims work for every 
function, but they work better for some 
functions than others. 


When we construct inductive claims and What happens when an if expression is 
totality claims, we assume that if inside the argument of an application? 

expressions are outside all other 
expressions; we ignore if expressions in 
the arguments of applications. 
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In some cases we might get a claim we What can we do then? 

cannot prove, even though our defun is 
total or our dethm is actually a theorem. 


There are trickier ways to create totality How? 

claims and inductive claims that work 

for all ifs. But we can always just rewrite 

our functions to have the ifs on the 

outside. 


With If Lifting, of course! Of course. Then can we write totality 

claims and inductive claims that work 
for every total function? 

56 

No, not every total function.^ There is Now back to the proof, please! 

always more to learn. 

t Some total functions do not have a natu¬ 
ral number measure. Many more functions can 
be proved total by using ordinal numbers. See 
“Restless for More?” for further reading. 
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We should try to prove set?/add-atoms 
again using Defun Induction on 
add-atoms. 

(dethm set?/add-atoms (a bs) 

(if (set? bs) 

(equal (set? (add-atoms a bs)) 't) 

■t)) 


And here again is the inductive claim 
from frame 43. 


(if (atom a) 

(if (set? bs) 

(equal (set? (add-atoms a bs)) 't) 

’t) 

(if (if (set? (add-atoms (cdr a) bs)) 

(equal (set? (add-atoms (car a) 

(add-atoms (cdr a) bs))) 

■t) 

'») 

(if (if (set? bs) 

(equal (set? (add-atoms (cdr a) bs)) 't) 

■t) 

(if (set? bs) 

(equal (set? (add-atoms a bs)) 't) 

■t) 

■t) 

■*)) 


Next, we use add-atoms, if-nest-A, and Yes, these steps are easy, 

the premise (atom a). 


(if (atom a) 

(if (set? bs) 

(equal (set? (add-atoms a bs) 

't) 

’t) 

(if (if (set? (add-atoms (cdr a) bs)) 

(equal (set? (add-atoms (car a) 

(add-atoms (cdr a) bs))) 

■t) 

■t) 

(if (if (set? bs) 

(equal (set? (add-atoms (cdr a) bs)) 't) 

■t) 

(if (set? bs) 

(equal (set? (add-atoms a bs)) *t) 

■t) 

■t) 

■t)) 


(if (atom a) 

(if (set? bs) 

(equal (set? (if (member? a bs) 

bs 

(cons a bs)) 

■t) 

■t) 

(if (if (set? (add-atoms (cdr a) bs)) 

(equal (set? (add-atoms (car a) 

(add-atoms (cdr a) bs))) 

■t) 


■t) 

(if (if (set? bs) 

(equal (set? (add-atoms (cdr a) bs)) 't) 

■t) 

(if (set? bs) 

(equal (set? (add-atoms a bs)) 't) 

■t) 

■t) 

■t)) 
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59 

What comes next? 

If Lifting on (member? a bs). 

(if (atom a) 

(if (atom a) 

(if (set? bs) 

(if (set? bs) 

(equal (set? (if (member? a bs) 

(equal (if (member? a bs) 

bs 

(set? bs) 

(cons a bs))) 

(set? (cons a bs))) 

■t) 

■t) 

■t) 

■t) 

(if (if (set? (add-atoms (cdr a) bs)) 

(if (if (set? (add-atoms (cdr a) bs)) 

(equal (set? (add-atoms (car a) 

(equal (set? (add-atoms (car a) 

(add-atoms (cdr a) bs))) 

(add-atoms (cdr a) bs))) 

■t) 

■t) 

■t) 

■t) 

(if (if (set? bs) 

(if (if (set? bs) 

(equal (set? (add-atoms (cdr a) bs)) 't) 

(equal (set? (add-atoms (cdr a) bs)) 't) 

■t) 

■t) 

(if (set? bs) 

(if (set? bs) 

(equal (set? (add-atoms a bs)) 't) 

(equal (set? (add-atoms a bs)) 't) 

■t) 

■t) 

■t) 

■t) 

■t)) 

■t)) 


uu 

If (set? bs) is true in the premise, then it 
should be equal to 't, right? 

That seems reasonable. 

(if (atom a) 

(if (atom a) 

(if (set? bs) 

(if (set? bs) 

(equal (if (member? a bs) 

(equal (if (member? a bs) 

(set? bs) 

't 

(set? (cons a bs))) 

(set? (cons a bs))) 

■*) 

■t) 

■t) 

■t) 

(if (if (set? (add-atoms (cdr a) bs)) 

(if (if (set? (add-atoms (cdr a) bs)) 

(equal (set? (add-atoms (car a) 

(equal (set? (add-atoms (car a) 

(add-atoms (cdr a) bs))) 

(add-atoms (cdr a) bs))) 

'*) 

’t) 

■t) 

■t) 

(if (if (set? bs) 

(if (if (set? bs) 

(equal (set? (add-atoms (cdr a) bs)) ’t) 

(equal (set? (add-atoms (cdr a) bs)) 't) 

■t) 

■t) 

(if (set? bs) 

(if (set? bs) 

(equal (set? (add-atoms a bs)) ’t) 

(equal (set? (add-atoms a bs)) *t) 

■t) 

■t) 

't) 

■t) 

■t)) 

■t)) 
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61 

How can we do that? 

With the claim set?/t. 


(dethm set?/t (xs) 

(if (set? xs) 

(equal (set? xs) 't) 

't)) 

Like ctx?/t in frame 19 of chapter 7, we 
state set?/t as a separate claim, and we 
must eventually prove the claim. 


_ jCj 

Now we use set? with the argument 

We simplify the result using atom/cons, 

(cons a bs). 

car/cons, cdr/cons twice, and if-false. 

(if (atom a) 

(if (atom a) 

(if (set? bs) 

(if (set? bs) 

(equal (if (member? a bs) 

it 

(equal (if (member? a bs) 

L 

(set? (cons a bs)) 

L 

(if (member? a bs) 

■t) 

'nil 

■t) 

(set? bs))) 

(if (if (set? (add-atoms (cdr a) bs)) 

't) 

(equal (set? (add-atoms (car a) 

’t) 

(add-atoms (cdr a) bs))) 

(if (if (set? (add-atoms (cdr a) bs)) 

■t) 

(equal (set? (add-atoms (car a) 

’t) 

(add-atoms (cdr a) bs))) 

(if (if (set? bs) 

■t) 

(equal (set? (add-atoms (cdr a) bs)) 't) 

■t) 

■t) 

(if (if (set? bs) 

(if (set? bs) 

(equal (set? (add-atoms (cdr a) bs)) 't) 

(equal (set? (add-atoms a bs)) ’t) 

■t) 

■t) 

(if (set? bs) 

■t) 

(equal (set? (add-atoms a bs)) 't) 

•t)) 

't) 

't) 

’t)) 

It looks like our premises (set? bs) and 
(member? a bs) are about to come in 
handy. 
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63 

Then let’s use those premises. 

And with a few more rewrites, we finish 
the case where a is an atom. 

(if (atom a) 

(if (atom a) 

(if (set? bs) 

't 

(equal (if (member? a bs) 

(if (if (set? (add-atoms (cdr a) bs)) 

't 

(equal (set? (add-atoms (car a) 

(if (member? a bs) 

(add-atoms (cdr a) bs))) 

'nil 

’t) 

(set? bs))) 

’t) 

’t) 

(if (if (set? bs) 

■t) 

(equal (set? (add-atoms (cdr a) bs)) 't) 

(if (if (set? (add-atoms (cdr a) bs)) 

■t) 

(equal (set? (add-atoms (car a) 

(if (set? bs) 

(add-atoms (cdr a) bs))) 

(equal (set? (add-atoms a bs)) 't) 

’t) 

■t) 


■t) 

(if (if (set? bs) 

(equal (set? (add-atoms (cdr a) bs)) 't) 

■t) 

(if (set? bs) 

(equal (set? (add-atoms a bs)) 't) 

■t) 

■t) 

’t)) 

■t)) 


VJ ‘-± 

Do these two ifs have anything in 

Certainly, they have the same if 

common? 

question. We can combine them using If 
Lifting, of course. We use if-same twice 
in the final if else, as well. 

(if (atom a) 

't 

(if (atom a) 

L 

(if (if (set? (add-atoms (cdr a) bs)) 

L 

(if (set? bs) 

(equal (set? (add-atoms (car a) 

(if (if (set? (add-atoms (cdr a) bs)) 

(add-atoms (cdr a) bs))) 

(equal (set? (add-atoms (car a) 

■t) 

(add-atoms (cdr a) bs))) 

■t) 

■t) 

(if (if (set? bs) 

■t) 

(equal (set? (add-atoms (cdr a) bs)) 't) 

(if (equal (set? (add-atoms (cdr a) bs)) 't) 

■t) 

(equal (set? (add-atoms a bs)) 't) 

(if (set? bs) 

■t) 

(equal (set? (add-atoms a bs)) 't) 

■t) 

■t) 

■t)) 

■t) 


■t)) 
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65 

We use If Lifting again, since both if 

We also simplify the else of the new if 

questions essentially ask 

using if-true. 

(set? (add-atoms (cdra) bs)). 


(if (atom a) 

If 

(if (atom a) 

L 

(if (set? bs) 

L 

(if (set? bs) 

(if (if (set? (add-atoms (cdr a) bs)) 

(if (set? (add-atoms (cdr a) bs)) 

(equal (set? (add-atoms (car a) 

(if (equal (set? (add-atoms (car a) 

(add-atoms (cdr a) bs))) 

(add-atoms (cdr a) bs))) 

't) 

't) 

■t) 

(if (equal (set? (add-atoms (cdr a) bs)) 

(if (equal (set? (add-atoms (cdr a) bs)) ’t) 

(equal (set? (add-atoms a bs)) ’t) 

(equal (set? (add-atoms a bs)) ’t) 

■t) 

■t) 

■t) 

■t) 

(if (equal (set? (add-atoms (cdr a) bs)) ’t) 

■t)) 

(equal (set? (add-atoms a bs)) f t) 


■t)) 


■t)) 

66 

The if questions written in orange both 

In the case where the premise 

mean the same thing as 

(set? (add-atoms (cdr a) bs)) is true, it is 

(set? (add-atoms (cdr a) bs)), but we 

equal to ‘t by set?/t. In the case where 

can’t simplify them using if-nest-A or 

the premise is false, it is equal to 'nil. 

if-nest-E. Do we have a way to rewrite 


these? 


(if (atom a) 

't 


L 

(if (set? bs) 


(if (set? (add-atoms (cdr a) bs)) 


(if (equal (set? (add-atoms (car a) 


(add-atoms (cdr a) bs))) 


■t) 


(if (equal (set? (add-atoms (cdr a) bs)) ’t) 


(equal (set? (add-atoms a bs)) ’t) 


■t) 


■t) 


(if (equal (set? (add-atoms (cdr a) bs)) ’t) 


(equal (set? (add-atoms a bs)) ’t) 


■t)) 


■t)) 
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67 

In that case, we need a new claim to say 
that it is equal to 'nil. 1 

Naturally. 

(dethm set? /nil (xs) 

(if (set? xs) 

't 

(equal (set? xs) 'nil))) 



68 

Let s use our new theorem. 

Very well. We shall use set?/t and 


set? /nil with the premise written in 

orange. 

(if (atom a) 

't 

(if (atom a) 

't 

L 

(if (set? bs) 

L 

(if (set? bs) 

(if (set? (add-atoms (cdr a) bs)) 

(if (set? (add-atoms (cdr a) bs)) 

(if (equal (set? (add-atoms (car a) 

(if (equal (set? (add-atoms (car a) 

(add-atoms (cdr a) bs))) 

(add-atoms (cdr a) bs))) 

't) 

’t) 

(if (equal (set? (add-atoms (cdr a) bs)) t) 

(if (equal 't 't) 

(equal (set? (add-atoms a bs)) 't) 

(equal (set? (add-atoms a bs)) 't) 

■t) 

■t) 

■t) 

■t) 

(if (equal (set? (add-atoms (cdr a) bs)) t) 

(if (equal 'nil 't) 

(equal (set? (add-atoms a bs)) 't) 

(equal (set? (add-atoms a bs)) 't) 


■t)) 

■t)) 
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Simplify both ifs. 

Easy, using equal twice, if-true, and 


if-false. 

(if (atom a) 

it 

(if (atom a) 

it 

L 

(if (set? bs) 

L 

(if (set? bs) 

(if (set? (add-atoms (cdr a) bs)) 

(if (set? (add-atoms (cdr a) bs)) 

(if (equal (set? (add-atoms (car a) 

(if (equal (set? (add-atoms (car a) 

(add-atoms (cdr a) bs))) 

(add-atoms (cdr a) bs))) 

■t) 

■t) 

(if (equal 't 't) 

(equal (set? (add-atoms a bs)) 't) 

(equal (set? (add-atoms a bs)) ’t) 

■t) 

■t) 

■t) 

't) 

■t)) 

(if (equal 'nil 't) 


(equal (set? (add-atoms a bs)) 't) 


■t)) 


■t)) 



Use add-atoms. 

We also drop an if using if-nest-E and the 


outermost premise. 

(if (atom a) 

If 

(if (atom a) 

It 

L 

(if (set? bs) 

1 

(if (set? bs) 

(if (set? (add-atoms (cdr a) bs)) 

(if (set? (add-atoms (cdr a) bs)) 

(if (equal (set? (add-atoms (car a) 

(if (equal (set? (add-atoms (car a) 

(add-atoms (cdr a) bs))) 

(add-atoms (cdr a) bs))) 

■t) 

■t) 

(equal (set (add-atoms a bs) 

(equal (set? (add-atoms (car a) 

■t) 

(add-atoms (cdr a) bs)) 

■t) 

■t) 

■t) 

■t) 

'»)) 

■t) 


■t)) 


Changing the Rules 


133 





And now? 


We can finally use the first inductive 
premise. 


(if (atom a) 

't 

(if (set? bs) 

(if (set? (add-atoms (cdr a) bs)) 

(if (equal (set? (add-atoms (car a) 

(add-atoms (cdr a) bs))) 

■t) 

(equal (set? (add-atoms (car a) 

(add-atoms (cdr a) bs))) 

■t) 

■t) 

’t) 


(if (atom a) 

't 

(if (set? bs) 

(if (set? (add-atoms (cdr a) bs)) 

(if (equal (set? (add-atoms (car a) 

(add-atoms (cdr a) bs))) 

’t) 

't 

’t) 

't) 

■t)) 


And then we are essentially done. 


Let’s return to set?/atoms. Are we ready Hopefully, 
to prove it? 

(dethm set?/atoms (a) 

(equal (set? (atoms a)) ’t)) 


This proof is a little surprising, a little That sounds a little exciting, 

fun, and a little proof. 


First, use atoms. 


(equal (set? (atoms a)) 't) 


Very well. Can we use set?/add-atoms 
here? 

(equal (set: (add-atoms a '())) 't) 


Not yet, we need a premise, if-true makes 
room for one. 

(equal (set? (add-atoms a '())) 't) 

Surprise number one: if-true yields a 
premise wherever we need one. 


We need this premise to be (set? '()). 
How can we rewrite 't to (set? '())? 

(if't 

(equal (set? (add-atoms a '())) 't) 

’t) 
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The if-true theorem rewrites 't to an if 
that has the same answer and else as the 
body of set?, where xs is '(). 

And the question of the if? 

(if 't 

(equal (set? (add-atoms a '())) 't) 

't) 

(if (if 't 
't 

(if (member? (car '()) (cdr '())) 

'nil 

(set? (cdr '())))) 

(equal (set? (add-atoms a '())) 't) 

■t) 

Surprise number two: if-true lets us 
supply any else expression we like. 

Using atom rewrites 't to the if question 
from set?, again where xs is '(). 

77 

And now? 

(if (if 't 

If 

(if (if (atom '()) 

't 

L 

(if (member? (car '()) (cdr '())) 

'nil 

(set? (cdr '())))) 

(equal (set? (add-atoms a '())) 't) 

■t) 

L 

(if (member? (car '()) (cdr '())) 

'nil 

(set? (cdr '())))) 

(equal (set? (add-atoms a '())) 't) 

■t) 

Surprise number three: we can “run” 
atom in reverse, since 't and (atom '()) 
are equal. 


We use set?, where xs is '()! 

78 

And now we can use set?/add-atoms. 

(if (if (atom '()) 

't 

(if (member? (car '()) (cdr '())) 

'nil 

(set? (cdr '())))) 

(equal (set? (add-atoms a '())) 't) 

■t) 

(if (set? '()) 

(equal (set? (add-atoms a '())) 't) 

■t) 

The fourth and final surprise: we can use 
the Law of Defun to rewrite the body of 
set? where xs is '() to an application of 
set?. 
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Exactly. 

79 

And now we are virtually done. 

(if (set? '()) 

(equal (set? (add-atoms a '())) 't) 

’t) 

't 

Wasn’t that a little fun? 

And quite surprising. 

Do we need to prove set?/t and set?/nil? 

81 

Certainly we must. 

Try them out with J-Bob on page 193. 

82 

Can we try Defun Induction with J-Bob 
as well? 


Of course. Appendix A tells how to use That is good to know. 
J-Bob for Defun Induction, and 
Appendix C shows how J-Bob constructs 
inductive claims. 


84 

Now we know everything there is to Well, perhaps not everything, 

learn about Defun Induction. 


Go back through this chapter if It certainly can. 

necessary. Defun Induction can take 

time. 
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'((((french . toast) . and) - maple) - syrup). 


What value is 

(cons 

(cons 

(cons 

(cons 'french 'toast) 
'and) 

'maple) 

'syrup) 

equal to? 


How many conses are in Four, since each counts for one cons, 

'((((french > toast) . and) . maple) . syrup)? 


What value is '(((french . toast) . and) . (maple . syrup)), 

(rotate 

'((((french . toast) . and) . maple) . syrup)) 

equal to? 


How many conses are in Four again. 

'(((french . toast) . and) . (maple > syrup))? 


What value is '((french . toast) . (and . (maple . syrup))), 

(rotate 

'(((french . toast) . and) . (maple . syrup))). 

equal to? 


The Stars Are Aligned 


139 








How many conses are in Still four, 

'((french . toast) . (and . (maple . syrup)))? 


What value is 

(rotate 

'((french . toast) . (and . (maple . syrup)))). 


'(french . (toast . (and . (maple . syrup)))). 


equal to? 


How many conses are in Yet again, four! 

'(french > (toast > (and > (maple . syrup))))? 


Define rotate. 



(defun rotate (x) 

(cons (car (car x)) 

(cons (cdr (car x)) (cdrx)))) 


Is rotate/cons a theorem? 



We can find out. 


(dethm rotate/cons (x y z) 

(equal (rotate (cons (cons x y) z)) 

(cons x (cons y z)))) 


Use rotate. 


(equal (rotate (cons (cons x y) z)) 

(cons x (cons y z))) 


The claim is starting to look 
complicated. 

(equal (cons (car (car (cons (cons x y) z))) 

(cons (cdr (car (cons (cons x y) z))) 
(cdr (cons (cons x y) z)))) 

(cons x (cons y z))) 
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Simplify with car/cons and cdr/cons. 

(equal (cons (car (car (cons (cons x y) z))) 

(cons (cdr (car (cons (cons x y) z))) 
(cdr (cons (cons x y) z)) 

(cons x (cons y z))) 


12 


Much better. 

(equal (cons x 

(cons y 

z )) 

(cons x (cons y z))) 


And now ... We are done! 

(equal (cons x (cons y z)) 't 

(cons x (cons y z))) 


What value is '(french . (toast . (and . (maple . syrup)))), 

(align 

'(french . (toast > (and . (maple . syrup))))) 

equal to? 


What value is '(french . (toast . (and . (maple . syrup)))), 

(align 

'((french . toast) . (and . (maple . syrup)))) 

equal to? 


What value is '(french . (toast . (and . (maple . syrup)))), 

(align 

'(((french . toast) . and) > (maple > syrup))) 

equal to? 


What value is '(french . (toast . (and . (maple . syrup)))), 

(align 

'((((french . toast) . and) . maple) . syrup)) 

equal to? 
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Define align. 


(defun align (x) 

(if (atom x) 

x 

(if (atom (car x)) 

(cons (car x) (align (cdrx))) 
(align (rotate x))))) 

measure: (size x) 


Is (size x) an appropriate measure for The measure (size x) has always worked. 

align? 


Then let’s see if we can prove that align 
is total. Of course, (natp (size x)) is 't. 

(if (natp (size x)) 

(if (atom x) 

't 

(if (atom (car x)) 

(< (size (cdr x)) (size x)) 

(< (size (rotate x)) (size x)))) 

'nil) 


Yes, and by if-true, we remove the outer 

if. 

(if (atom x) 

't 

(if (atom (car x)) 

(< (size (cdrx)) (size x)) 

(< (size (rotate x)) (size x)))) 


Use size/cdr and the premise (atom x). 


Simple. 


(if (atom x) 

't 

(if (atom (car x)) 

(< (size (cdr x)) (size x)) 

(< (size (rotate x)) (size x)))) 


(if (atom x) 

't 

(if (atom (car x)) 

't 

(< (size (rotate x)) (size x)))) 


Use cons/car+cdr twice. 


(if (atom x) 

't 

(if (atom (car x)) 

't 

(< (size (rotate x)) 
(size x)))) 


Easy, since the focus is in the if else of 
the premise (atom x). 

(if (atom x) 

't 

(if (atom (car x)) 

't 

(< (size (rotate (cons (car x) (cdrx)))) 
(size (cons (car x) (cdr x)) 
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And again, using the other premise. 

23 

A snap. 

(if (atom x) 

't 


(if (atom x) 

't 

L 

(if (atom (car x)) 

't 


L 

(if (atom (car x)) 

't 

L 

(< (size (rotate (cons (car x) 


(< (size (rotate (cons (cons (car (car x)) 

(cdrx)))) 


(cdr (car x))) 

(size (cons (car x) 


(cdrx)))) 

(cdrx)))))) 


(size (cons (cons (car (car x)) 



(cdr (car x))) 



(cdrx)))))) 

Now use the theorem rotate/cons. 

24 

Oh, so that’s why we proved rotate/cons! 

(if (atom x) 

't 


(if (atom x) 

't 

L 

(if (atom (car x)) 

't 


l 

(if (atom (car x)) 

•t 

L 

(< (size (rotate (cons (cons (car (car x)) 


L 

(< (size (cons (car (car x)) 

(cdr (car x))) 


(cons (cdr (car x)) 

(cdrx)))) 


(cdrx)))) 

(size (cons (cons (car (car x)) 


(size (cons (cons (car (carx)) 

(cdr (car x))) 


(cdr (car x))) 

(cdrx)))))) 


(cdrx)))))) 

Exactly. Sometimes it’s nice to think of 

25 

What if we hadn’t thought of rotate/cons 

a theorem ahead of time that makes it 


ahead of time? 

easier to prove things about a function. 



Then this proof would have been a little 

26 

That’s helpful to know. 

longer while we worked through all the 



car/cons and cdr/cons, but we’d get to 



the same place in the end. 
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Insight: Create Helpers for Repetition 

If a proof performs similar sequences of steps over and 
over, state a theorem that can perform the same rewrite 
as those steps via the Law of Dethm. Use that theorem in 
place of the sequence of steps to shorten the proof. 


What next? 


We have to prove that the size of 

(cons (car (car x)) 

(cons (cdr (car x)) (cdr x))) 

is smaller than the size of 
(cons 

(cons (car (car x)) (cdr (car x))) 
(cdr x)). 


Is the size of It doesn’t look smaller; it just looks 

(cons (car (car x)) rearranged. 

(cons (cdr (car x)) (cdrx))) 

smaller than the size of 
(cons 

(cons (car (car x)) (cdr (car x))) 

(cdr x))? 


Perhaps (size x) is not the right measure. 



How can we tell? 


Find a counterexample to the totality '4. 

claim for align. 

What value is (size x) equal to when x is 
'((((french . toast) . and) . maple) > syrup)? 
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What value is (size x) equal to when x is 
(rotate 

'((((french . toast) . and) . maple) . syrup))? 


What is the value of the totality claim 
for align in frame 20 where x is 

'((((french > toast) . and) . maple) > syrup)? 


32 


'nil, since '4 is not less than '4. Does that 
mean that align is not a total function? 


Not necessarily, 

perhaps we just need to pick a better 
measure. 


33 


How do we do that? 


The function wt returns 1 for an atom, 
and twice the wt of the car plus the wt of 
the cdr for a cons. What value is 

(wt 

'((((french . toast) . and) . maple) . syrup)) 

equal to? 


31. 


What does the name wt mean? 


oo 

It is short for weight. What value is 
(wt 

'(((french . toast) . and) . (maple . syrup))) 

equal to? 


17 


36 


o u 

What value is 
(wt 

'((french . toast) . (and . (maple . syrup)))) 

equal to? 


11 
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37 

What value is '9. 

(wt 

'(french > (toast . (and . (maple . syrup))))) 

equal to? 

Define wt. 

38 

It’s quite tricky, isn’t it? 

Yes, we know. Here it is. 

39 / 

Is (size x) the right measure this time? 

(defun wt (x) 


(if (atom x) 


'1 


(+ (+ (wt (car x)) (wt (car x))) 


(wt (cdrx))))) 


measure: (size x) 


Yes, we double-checked. But let’s prove 

40 

This is the same step as in frame 20. 

it. 


(if (natp (size x)) 

(if (atom x) 

(if (atom x) 

't 

't 

(if (< (size (car x)) (size x)) 

(if (< (size (car x)) (size x)) 

(< (size (cdrx)) (size x)) 

(< (size (cdr x)) (size x)) 

'nil)) 

■nil)) 


'nil) 



What do we do next? 


*4 1 

We use size/car and size/cdr, since we 
know x is not an atom. 

(if (atom x) 


(if (atom x) 

't 


't 

(< (size (car x)) (size 

X)) 

(if 't 

(< (size (cdrx)) (size 

X)) 

't 

'nil)) 


'nil)) 


146 


Chapter 10 









This proof is easy. 


42 


Indeed, it is. 


(if (atom x) 't 

't 

(if't 

't 

’nil)) 


We still need to prove align is total. This time, we choose wt as the measure. 

(defun align (x) 

(if (atom x) 

x 

(if (atom (car x)) 

(cons (car x) (align (cdrx))) 
(align (rotate x))))) 

measure: (wt x) 

_ 


Here is our totality claim, although we 
could have constructed it step by step. 

(if (natp (wt x)) 

(if (atom x) 

't 

(if (atom (car x)) 

(< (wt (cdr x)) (wt x)) 

(< (wt (rotate x)) (wt x)))) 

'nil) 

Is (wt x) always a natural number? 


We don’t know, but we suspect so. For 
now we rewrite (natp (wt x)) to 't and 
use if-true to drop the outer if. 

(if (atom x) 

't 

(if (atom (car x)) 

(< (wt (cdr x)) (wt x)) 

(< (wt (rotate x)) (wt x)))) 

We must prove our claim about wt and 
natp later. 

(dethm natp/wt (x) 

(equal (natp (wt x)) 't)) 
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Is the definition of wt helpful here? 


(if (atom x) 

't 

(if (atom (car x)) 

(< (wt (cdr x)) 

(wt x)) 

(< (wt (rotate x)) (wt x)))) 


Yes, and so are if-nest-E and the premise 
(atom x). 

(if (atom x) 

't 

(if (atom (car x)) 

(< (wt (cdr x)) 

(+ (+ (wt (carx)) (wt (car x))) 

(wt (cdr x)))) 

(< (wt (rotate x)) (wt x)))) 


Now what? 



We need to know how + and < work. 


We assume that 0 + x = x, x + y = y + x, Yes, we have heard the rumors, 
and x + (y + z) = (x + y) + z, among 
other things. 


The Axioms of + and < 


(dethm identity--!- (x) 

(if (natp x) (equal (+ '0 x) x) 't)) 


(dethm positives—I- (xy) 

(if (< '0 x) (if (< '0 y) (equal (< '0 (+ x y)) 't) 't) 't)) 


(dethm natp/+ (x y) 

(if (natp x) (if (natp y) (equal (natp (+ x y)) 't) 't) 't)) 


(dethm common-addends-< (x y z) 
(equal (< (+ x z) (+ y z)) (< x y))) 


(dethm commute-+ (xy) 
(equal (+x y) (+ y x))) 


(dethm associate-+ (x y z) 

(equal (+ (+ x y) z) (+ x (+ y z)))) 
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Using these new axioms, how can we 
rewrite our claim? 

48 

We should cancel the (wt (cdr x)) in both 
arguments to < using 

common-addends-<. 

(if (atom x) 

't 

(if (atom (car x)) 

(< (wt (cdr x)) 

(+ (+ (wt (carx)) (wt (car x))) 

(wt (cdr x)))) 

(< (wt (rotate x)) (wt x)))) 

For that, we must add something to the 
first argument of <. 

49 

We can add '0 to the first (wt (cdr x)) 
without changing its value. 

Only if (wt (cdr x)) is a natural number. 

5° 

The claim natp/wt (frame 44) states that 
it is, and if-true yields a place to put the 
corresponding premise, as in frame 75 of 
chapter 9. 

(if (atom x) 

't 

(if (atom (car x)) 

(< (wt (cdr x)) 

(+ (+ (wt (car x)) 

(wt (car x))) 

(wt (cdr x)))) 

(< (wt (rotate x)) (wt x)))) 

(if (atom x) 

't 

(if (atom (car x)) 

(if (natp (wt (cdr x))) 

(< (wt (cdr x)) 

(+ (+ (wt (car x)) 

(wt (car x))) 

(wt (cdr x)))) 

't) 

(< (wt (rotate x)) (wt x)))) 

Now we have the premise that 
(wt (cdr x)) is a natural number. 

51 

Therefore we use identity-+. 

(if (atom x) 

't 

(if (atom (car x)) 

(if (natp (wt (cdr x))) 

(< (wt (cdr x)) 

(+ (+ (wt (car x)) 

(wt (car x))) 

(wt (cdr x)))) 

't) 

(< (wt (rotate x)) (wt x)))) 

(if (atom x) 

't 

(if (atom (car x)) 

(if (natp (wt (cdrx))) 

(< (+ '0 (wt (cdr x))) 

(+ (+ (wt (car x)) 

(wt (car x))) 

(wt (cdr x)))) 

't) 

(< (wt (rotate x)) (wt x)))) 
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Next? 

52 

At last, we cancel (wt (cdr x)) using 


common-addends-<. 

(if (atom x) 

1 + 

(if (atom x) 

! + 

L 

(if (atom (car x)) 

L 

(if (atom (car x)) 

(if (natp (wt (cdr x))) 

(if (natp (wt (cdrx))) 

« (+ '0 

(< '0 

(wt (cdr x))) 

(+ (wt (car x)) 

(+ (+ (wt (car x)) 

(wt (carx)))) 

(wt (car x))) 

't) 

(wt (cdr x)))) 

(< (wt (rotate x)) (wt x)))) 

't) 


(< (wt (rotate x)) (wt x)))) 


Is (+ (wt (car x)) (wt (carx))) positive? 

53 

It is positive if (wt (car x)) is positive. 


54 


kJ 

It seems we need another premise. The 
claim natp/wt rewrites this focus to 't, 
provided that we eventually prove the 
claim. 

We also make the claim positive/wt, and 
rewrite this focus to a new premise. 

(dethm positive/wt (x) 

(equal (< '0 (wt x)) 't)) 

(if (atom x) 

't 

(if (atom (car x)) 

(if (natp (wt (cdr x))) 

(< '0 (+ (wt (carx)) 

(wt (car x)))) 

’t) 

(< (wt (rotate x)) (wt x)))) 

(if (atom x) 

't 

(if (atom (car x)) 

(if (< '0 (wt (carx))) 

(< '0 (+ (wt (car x)) 

(wt (car x)))) 

't) 

(< (wt (rotate x)) (wt x)))) 

We must, of course, prove positive/wt. 

55 

What do we use the new premise for? 

For positives--}-, of course., and then 


followed by if-same. 

(if (atom x) 

't 

(if (atom x) 

't 

L 

(if (atom (car x)) 

L 

(if (atom (car x)) 

(if (< '0 (wt (carx))) 

't 

(< '0 (+ (wt (carx)) 

(< (wt (rotate x)) (wt x)))) 

(wt (car x)))) 


't) 


(< (wt (rotate x)) (wt x)))) 
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One < comparison down. 

56 

And one to go. 

(if (atom x) 

't 

(if (atom (car x)) 

't 

(< (wt (rotate x) 

(wt x)))) 

(if (atom x) 

't 

(if (atom (car x)) 

't 

(< (wt (cons (car (carx)) 

(cons (cdr (car x)) 

(cdrx)))) 

(wt x)))) 

Here, we use wt. Can we also use 
atom/cons and if- false to drop the 
resulting if? 

(if (atom x) 

't 

(if (atom (car x)) 

't 

(< (wt (cons (car (car x)) 

(cons (cdr (car x)) 

(cdrx)))) 

(wt x)))) 

57 

Yes, and car/cons twice and cdr/cons 
once as well. 

(if (atom x) 

't 

(if (atom (car x)) 

't 

(< (+ (+ (wt (car (car x))) 

(wt (car (car x)))) 

(wt (cons (cdr (car x)) 

(cdrx)))) 

(wt x)))) 

Are the same steps useful again? 

Absolutely! 

(if (atom x) 

't 

(if (atom (car x)) 

't 

(< (+ (+ (wt (car (carx))) 

(wt (car (car x)))) 

(wt (cons (cdr (carx)) 

(cdrx)))) 

(wt x)))) 

(if (atom x) 

't 

(if (atom (car x)) 

't 

(< (+ (+ (wt (car (carx))) 

(wt (car (car x)))) 

(+ (+ (wt (cdr (carx))) 

(wt (cdr (car x)))) 

(wt (cdrx)))) 

(wt x)))) 
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Do we use the same steps a third time? 

59 

No, this time we only use wt and 


if-nest-E, along with the premise 
(atom x). 

(if (atom x) 

(if (atom x) 

't 

L 

(if (atom (car x)) 

't 

l 

(if (atom (car x)) 

't 

L 

(< (+ (+ (wt (car (carx))) 

L 

(< (+ (+ (wt (car (car x))) 

(wt (car (car x)))) 

(wt (car (car x)))) 

(+ (+ (wt (cdr (carx))) 

(+ (+ (wt (cdr (car x))) 

(wt (cdr (car x)))) 

(wt (cdr (car x)))) 

(wt (cdr x)))) 

(wt (cdr x)))) 

(wt x)))) 

(+ (+ (wt (carx)) 


(wt (car x))) 

(wt (cdr x)))))) 

Let’s use wt in these two focuses. Is 

eo 

Yes. Since we know that (car x) is not an 

there an obvious simplification we can do 
after that? 

atom, we use if-nest-E on both focuses. 

(if (atom x) 

■t 

(if (atom x) 

't 

L 

(if (atom (car x)) 

't 

L 

(if (atom (car x)) 

l 

(< (+ (+ (wt (car (carx))) 

L 

(< (+ (+ (wt (car (car x))) 

(wt (car (car x)))) 

(wt (car (car x)))) 

(+ (+ (wt (cdr (carx))) 

(+ (+ (wt (cdr (carx))) 

(wt (cdr (car x)))) 

(wt (cdr (car x)))) 

(wt (cdr x)))) 

(wt (cdr x)))) 

(wt (car x)) 

(+ (+ (wt (car (car x))) 

(wt (car x)) 

(wt (car (car x)))) 

(wt (cdr x)))))) 

(wt (cdr (car x)))) 

(+ (+ (wt (car (car x))) 


(wt (car (car x)))) 

(wt (cdr (car x)))) 


(wt (cdr x)))))) 

My, how the claim has grown! 

What next? 
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Do the new axioms help make our claim 

62 

They might. First we use associate-T. 

smaller? 


(if (atom x) 

! + 

(if (atom x) 

■t 

L 

(if (atom (car x)) 

't 

L 

(if (atom (car x)) 

it 

l 

(< (+ (+ (wt (car (car x))) 

L 

(< (+ (+ (+ (wt (car (carx))) 

(wt (car (car x)))) 

(wt (car (car x)))) 

(+ (+ (wt (cdr (car x))) 

(+ (wt (cdr (carx))) 

(wt (cdr (car x)))) 

(wt (cdr (carx))))) 

(wt (cdr x)))) 

(wt (cdr x))) 

(+ (+ (+ (+ (wt (car (carx))) 

(+ (+ (+ (+ (wt (car (car x))) 

(wt (car (car x)))) 

(wt (car (car x)))) 

(wt (cdr (car x)))) 

(wt (cdr (car x)))) 

(+ (+ (wt (car (car x))) 

(+ (+ (wt (car (carx))) 

(wt (car (car x)))) 

(wt (car (car x)))) 

(wt (cdr (car x))))) 

(wt (cdr (car x))))) 

(wt (cdr x)))))) 

(wt (cdr x)))))) 

Great choice. Why? 

63 

Now we can cancel out (wt (cdr x)) using 


common-addends-<. 

(if (atom x) 

't 

(if (atom x) 

•t 

L 

(if (atom (car x)) 

't 

L 

(if (atom (car x)) 
i t 

l 

(< (+ (+ (+ (wt (car (car x))) 

L 

(< (+ (+ (wt (car (car x))) 

(wt (car (car x)))) 

(wt (car (car x)))) 

(+ (wt (cdr (carx))) 

(+ (wt (cdr (carx))) 

(wt (cdr (carx))))) 

(wt (cdr (carx))))) 

(wt (cdr x))) 

(+ (+ (+ (wt (car (carx))) 

(+ (+ (+ (+ (wt (car (carx))) 

(wt (car (car x)))) 

(wt (car (car x)))) 

(wt (cdr (car x)))) 

(wt (cdr (car x)))) 

(+ (+ (wt (car (car x))) 

(+ (+ (wt (car (carx))) 

(wt (car (car x)))) 

(wt (car (car x)))) 

(wt (cdr (carx)))))))) 

(wt (cdr (car x))))) 


(wt (cdr x)))))) 
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The claim is already smaller. What 

64 

We prepare to cancel out expressions 

next? 

again using associated and commute--!-. 

(if (atom x) 

(if (atom x) 

■t 

L 

(if (atom (car x)) 

it 

L 

(if (atom (car x)) 

it 

l 

(< (+ (+ (wt (car (car x))) 

L 

(< (+ (wt (cdr (carx))) 

(wt (car (car x)))) 

(+ (+ (wt (car (carx))) 

(+ (wt (cdr (car x))) 

(wt (car (car x)))) 

(wt (cdr (car x))))) 

(wt (cdr (carx))))) 

(+ (+ (+ (wt (car (carx))) 

(+ (+ (+ (wt (car (carx))) 

(wt (car (car x)))) 

(wt (car (car x)))) 

(wt (cdr (car x)))) 

(wt (cdr (car x)))) 

(+ ( + (wt (car (car x))) 

(+ (+ (wt (car (car x))) 

(wt (car (car x)))) 

(wt (car (car x)))) 

(wt (cdr (carx)))))))) 

(wt (cdr (carx)))))))) 

Go on. 

65 

We use common-addends-< once again to 


cancel out expressions in this focus. 

(if (atom x) 

(if (atom x) 

!+- 

L 

(if (atom (car x)) 

't 

L 

(if (atom (car x)) 

it 

L 

(< (+ (wt (cdr (carx))) 

L 

(< (wt (cdr (car x))) 

(+ (+ (wt (car (car x))) 

(+ (+ (wt (car (car x))) 

(wt (car (car x)))) 

(wt (car (car x)))) 

(wt (cdr (carx))))) 

(wt (cdr (carx))))))) 

(+ (+ (+ (wt (car (car x))) 


(wt (car (car x)))) 


(wt (cdr (car x)))) 


(+ (+ (wt (car (car x))) 


(wt (car (car x)))) 


(wt (cdr (carx)))))))) 
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Can we cancel out more? 

66 

Yes, we can cancel (wt (cdr (car x))) on 
both sides. First, we use if-true and 
natp/wt to set up a new premise. 

(if (atom x) 

't 

(if (atom (car x)) 

't 

(< (wt (cdr (car x))) 

(+ (+ (wt (car (car x))) 

(wt (car (car x)))) 

(wt (cdr (car x))))))) 

(if (atom x) 

't 

(if (atom (car x)) 

't 

(if (natp (wt (cdr (car x)))) 

(< (wt (cdr (car x))) 

(+ (+ (wt (car (car x))) 

(wt (car (car x)))) 

(wt (cdr (car x))))) 

■t))) 

And then? 

67 

We add 0 to the first argument of <, 
since we have a premise stating it is a 
natural number. 

(if (atom x) 

't 

(if (atom (car x)) 

't 

(if (natp (wt (cdr (car x)))) 

(< (wt (cdr (car x))) 

(+ (+ (wt (car (car x))) 

(wt (car (car x)))) 

(wt (cdr (car x))))) 

’t))) 

(if (atom x) 

't 

(if (atom (car x)) 

't 

(if (natp (wt (cdr (car x)))) 

(< (+ '0 (wt (cdr (car x)))) 

(+ (+ (wt (car (carx))) 

(wt (car (car x)))) 

(wt (cdr (car x))))) 

■t))) 

Next? 

68 

We use common-addends-< one last time. 

(if (atom x) 

't 

(if (atom (car x)) 

't 

(if (natp (wt (cdr (car x)))) 

(< (+ '0 

(wt (cdr (car x)))) 

(+ (+ (wt (car (car x))) 

(wt (car (car x)))) 

(wt (cdr (car x))))) 

’t))) 

(if (atom x) 

't 

(if (atom (car x)) 

't 

(if (natp (wt (cdr (car x)))) 

(< '0 

(+ (wt (car (car x))) 

(wt (car (car x))))) 

■t))) 


The Stars Are Aligned 


155 






Now we must show that 

(+ (wt (car (carx))) (wt (car (car x)))) is 

positive. 

(if (atom x) 

't 

(if (atom (car x)) 

't 

(if (natp (wt (cdr (car x)))) 

(< '0 

(+ (wt (car (car x))) 

(wt (car (car x))))) 

't))) 

To start, we replace the inner if question 
using natp/wt and positive/wt. 

(if (atom x) 

't 

(if (atom (car x)) 

't 

(if (< '0 (wt (car (carx)))) 

(< '0 

(+ (wt (car (car x))) 

(wt (car (car x))))) 

■t))) 

Can we use the new premise? 

70 

We rewrite the remaining < comparison 
to 't with positives-+. 

(if (atom x) 

't 

(if (atom (car x)) 

't 

(if (< '0 (wt (car (carx)))) 

(< '0 (+ (wt (car (car x))) 

(wt (car (car x))))) 

■t))) 

(if (atom x) 

't 

(if (atom (car x)) 

't 

(if (< '0 (wt (car (carx)))) 

't 

’t))) 

And then? 

71 

By three uses of if-same, we are done. 

We’ve earned a break. 

72 

But what about proving natp/wt and 
positive/wt? 

We prove them starting on page 197. 

73 

Okay, we shall continue, then, but not 
before taking a small snack. 
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Now we know that align is total. 


74 


Can we prove this theorem? 


(dethm align/align (x) 

(equal (align (align x)) (align x))) 


That’s a good idea. Is align/align likely 
to be true? 


75 


In frames 14-17, there are no 
counterexamples. 


Can we prove align/align by induction? 


76 


The function align is recursive. 


Yes, can we use induction based on the 
definition of align? 


77 


Probably, but how does that work? 


It is like stating the claim that align is 
total. 


78 


Yes, we already know how to do that 


Here is our claim. 


79 


(equal (align (align x)) (align x)) 

Create the inductive claim we must 
prove. Use Defun Induction on align 


Now we have an inductive premise for 
(align (cdr x)), and another for 
(align (rotate x)). 

(if (atom x) 

(equal (align (align x)) (align x)) 

(if (atom (car x)) 

(if (equal (align (align (cdr x))) 

(align (cdr x))) 

(equal (align (align x)) (align x)) 

't) 

(if (equal (align (align (rotate x))) 

(align (rotate x))) 

(equal (align (align x)) (align x)) 

't))) 
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Use align in both focuses. 


(if (atom x) 

(equal (align (align x) (align x) 

(if (atom (car x)) 

(if (equal (align (align (cdr x))) 

(align (cdr x))) 

(equal (align (align x)) (align x)) 

■t) 

(if (equal (align (align (rotate x))) 

(align (rotate x))) 

(equal (align (align x)) (align x)) 

't))) 


The definition of align includes the if 
question (atom x), which is already a 
premise. We can use if-nest-A in both 
focuses, too. 

(if (atom x) 

(equal (align x x 
(if (atom (car x)) 

(if (equal (align (align (cdr x))) 

(align (cdr x))) 

(equal (align (align x)) (align x)) 

■t) 

(if (equal (align (align (rotate x))) 

(align (rotate x))) 

(equal (align (align x)) (align x)) 

■t))) 


In frame 80, we see that (align x) is equal And since x is equal to x, we apply 


to x when x is an atom by the definition 
of align and if-nest-A. 

(if (atom x) 

(equal (align x) x) 

(if (atom (car x)) 

(if (equal (align (align (cdr x))) 

(align (cdr x))) 

(equal (align (align x)) (align x)) 

■t) 

(if (equal (align (align (rotate x))) 

(align (rotate x))) 

(equal (align (align x)) (align x)) 

't))) 


equal-same. 


(if (atom x) 

't 

(if (atom (car x)) 

(if (equal (align (align (cdr x))) 

(align (cdr x))) 

(equal (align (align x)) (align x)) 

’t) 

(if (equal (align (align (rotate x))) 

(align (rotate x))) 

(equal (align (align x)) (align x)) 

't))) 
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Use align twice, again. 

(if (atom x) 

't 

(if (atom (car x)) 

(if (equal (align (align (cdr x))) 

(align (cdr x))) 

(equal (align 

(align x) 

(align x) 

't) 

(if (equal (align (align (rotate x))) 

(align (rotate x))) 

(equal (align (align x)) (align x)) 

't))) 


That’s easy. We can simplify it using 
these premises, as well. 

(if (atom x) 

't 

(if (atom (car x)) 

(if (equal (align (align (cdr x))) 

(align (cdr x))) 

(equal (align 

(cons (car x) (align (cdr x))) 
(cons (car x) 

(align (cdr x))) 

’t) 

(if (equal (align (align (rotate x))) 

(align (rotate x))) 

(equal (align (align x)) (align x)) 

't))) 


83 

What else have we used to do this We used if-nest-E and if-nest-A for the 

rewrite? questions (atom x) and (atom (car x)), 

respectively, taken from the definition of 

align. 
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84 


Use the definition of align to rewrite the 
application whose argument is 
(cons (car x) (align (cdrx))). Take the 
next four steps, too. 


(if (atom x) 

't 

(if (atom (car x)) 

(if (equal (align (align (cdr x))) 

(align (cdrx))) 

(equal (align (cons (car x) 

(align (cdrx)))) 
(cons (car x) 

(align (cdrx)))) 

(if (equal (align (align (rotate x))) 

(align (rotate x))) 

(equal (align (align x)) (align x)) 

■t))) 


Easy, using atom/cons, cdr/cons, and 
car/cons twice. 


(if (atom x) 

't 

(if (atom (car x)) 

(if (equal (align (align (cdr x))) 

(align (cdrx))) 

(equal (if 'nil 

(cons (car x) 

(align (cdrx))) 

(if (atom (car x)) 

(cons (car x) 

(align (align (cdrx)))) 
(align 
(rotate 
(cons (car x) 

(align (cdrx))))))) 

(cons (car x) 

(align (cdrx)))) 

(if (equal (align (align (rotate x))) 

(align (rotate x))) 

(equal (align (align x)) (align x)) 

't))) 
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Next simplify the ifs in this focus. 

85 

Done, using the helpful premise in 
orange. 

(if (atom x) 

(if (atom x) 

't 

't 

(if (atom (car x)) 

(if (atom (car x)) 

(if (equal (align (align (cdr x))) 

(if (equal (align (align (cdr x))) 

(align (cdr x))) 

(align (cdr x))) 

(equal (if 'nil 

(equal (cons (car x) 

(cons (car x) 

(align (align (cdr x)))) 

(align (cdr x))) 

(cons (car x) 

(if (atom (car x)) 

(align (cdr x)))) 

(cons (car x) 

’t) 

(align (align (cdr x)))) 

(if (equal (align (align (rotate x))) 

(align 

(align (rotate x))) 

(rotate 

(equal (align (align x)) (align x)) 

(cons (car x) 

(align (cdr x))))))) 

(cons (car x) 

(align (cdr x)))) 

(if (equal (align (align (rotate x))) 

(align (rotate x))) 

(equal (align (align x)) (align x)) 

■t))) 

■t))) 


Apply the inductive premise using 

ou 

This is the premise corresponding to 

equal-if. 

natural recursion. We can remove the 
equal in the if answer, too. 

(if (atom x) 

(if (atom x) 

L 

(if (atom (car x)) 

L 

(if (atom (car x)) 

(if (equal (align (align (cdr x))) 

(if (equal (align (align (cdr x))) 

(align (cdr x))) 

(align (cdr x))) 

(equal (cons (car x) 

't 

(align (align (cdr x)))) 

't) 

(cons (car x) 

(if (equal (align (align (rotate x))) 

(align (cdr x)))) 

(align (rotate x))) 

't) 

(equal (align (align x)) (align x)) 

(if (equal (align (align (rotate x))) 

(align (rotate x))) 

(equal (align (align x)) (align x)) 

■t))) 

■t))) 
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Which way do we use the inductive 
premise? Do we rewrite 
(align (align (cdrx))) to (align (cdrx)) or 
vice versa? 

87 O 

Does it matter? 

No. Either way makes both arguments 
to equal the same. 

88 ^ 

Great. 

What next? 

89 

We drop an if. 

(if (atom x) 

't 

(if (atom (car x)) 

(if (equal (align (align (cdr x))) 

(align (cdrx))) 

’t 

■t) 

(if (equal (align (align (rotate x))) 

(align (rotate x))) 

(equal (align (align x)) (align x)) 

't))) 

(if (atom x) 

't 

(if (atom (car x)) 

't 

(if (equal (align (align (rotate x))) 

(align (rotate x))) 

(equal (align (align x)) (align x)) 

■t))) 

Once again, expand (align x). 

90 

And four if-nest- Es using two premises. 

(if (atom x) 

't 

(if (atom (car x)) 

't 

(if (equal (align (align (rotate x))) 

(align (rotate x))) 

(equal (align (align x) 

(align x)) 

't))) 

(if (atom x) 

't 

(if (atom (car x)) 

't 

(if (equal (align (align (rotate x))) 

(align (rotate x))) 

(equal (align (align (rotate x)) 

(align (rotate x)) 

■t))) 
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91 

There’s only one more case. We have to Like this? 


use the other inductive premise. 

(if (atom x) 

't 

(if (atom (car x)) 

't 

(if (equal (align (align (rotate x))) 

(align (rotate x))) 

(equal (align (align (rotate x))) 

(align (rotate x))) 

■t))) 

(if (atom x) 

't 

(if (atom (car x)) 

't 

(if (equal (align (align (rotate x))) 

(align (rotate x))) 

(equal (align (rotate x)) 

(align (rotate x))) 

■t))) 

Correct. 

And now we are done. 

(if (atom x) 

't 

(if (atom (car x)) 

't 

(if (equal (align (align (rotate x))) 

(align (rotate x))) 

(equal (align (rotate x)) 

(align (rotate x))) 

■t))) 

(if (atom x) 

't 

(if (atom (car x)) 

't 

’t)) 


That’s it for this proof. Feel free to visit Finally, Q.E.D.! 
J-Bob on page 196. 


Quick, Eat Doughnuts! 
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We’re now going to use J-Bob to explore What is J-Bob?t 

how we rewrite expressions. r~ ; ~~~ , _ . _ 

1 Thank you, J Moore and Bob Boyer. 


Patience. We will discover what J-Bob is Intriguing, 
by experimenting with it.^ 

^To play along, find J-Bob on page 202 or at 
http://the-little-prover.org/. 


What value is this expression equal to? The value, 

(J-Bob/step (prelude) ’(car (cons ’ham ’(cheese))) 

’(car (cons ’ham ’(cheese))) 

> 0 ) which represents the expression we start 

with in frame 8 of chapter 1. 


Here are our words: 

The first argument to J-Bob/step is a 
list of representations of definitions, in 
this case (prelude) representing 
J-Bob’s axioms and initial functions. 
The second argument represents an 
expression to rewrite. The third 
argument is a list of steps, processed 
first to last, to rewrite the expression. 
Here the list of steps is empty. 


Do the first and second arguments to What are representations of expressions 

J-Bob/step make sense? and definitions? 


What are J-Bob/step’s three 
arguments? 
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We represent expressions and definitions And what are steps to rewrite an 

as quoted values. For instance, to expression? 

represent the expression x, we write ’x, 

which is short for (quote x). Our 

expressions include variable names, e.g. 

’x; quoted values e.g. ’’eggs; if 
expressions, e.g. ’(if x y z), described 
in chapter 2; and function applications 
e.g. ’(cons ’eggs x). Definitions may 
be theorems or functions, such as 
’ (dethm truth () ’t) and 
’ (defun id (x) x), described in 
chapter 3. 


We shall see. What value is this 
expression equal to? 

(J-Bob/step (prelude) 

’(car (cons ’ham ’(cheese))) 

’((() (car/cons ’ham ’(cheese))))) 


The value, 


’ ’ham 


which represents the result of the rewrite 
in frame 8 of chapter 1. But why is there 
an empty list in the first step? 


That list is the path to the focus. The Okay. 

path is a list of directions from the 

current expression to the subexpression 

representing the focus in the pending 

rewrite. Here, since the focus is the 

entire expression (otherwise put, the 

context is empty), the path is empty as 

well. 


What value is this expression equal to? 

(J-Bob/step (prelude) 

’(equal ’flapjack (atom (cons a b))) 
’(((2) (atom/cons a b)) 

(() (equal ’flapjack ’nil)))) 


The value, 

’ ’nil 

which represents the result of the rewrite 
in frame 16 of chapter 1. 
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What value is this expression equal to? 


(J-Bob/step (prelude) 

’(atom (cdr (cons (car (cons 
’(((1 1 1) (car/cons p q)) 
((1) (cdr/cons p ’ ())) 

(() (atom ’())))) 


p q)) ’()))) 


The value, 


5 > 


which represents the result of the rewrite 
in frame 29 of chapter 1. But how does 
J-Bob find this value? 


How do we find the step in frame 29 of 
chapter 1? 


We use car/cons on p and q in the focus. 


Does J-Bob have that information? 


Yes, we see cons with arguments p and 
q. But what about the focus? 


Good question. Where is the focus in 
frame 29 of chapter 1? 


Inside the 1st argument to atom, which is 
(cdr (cons (car (cons p q)) ’())); 
inside the 1st argument to cdr, which is 
(cons (car (cons p q)) ’()), which 
is inside 1st argument to cons, which is 
(car (cons p q)), which then allows us 
to use car/cons with p and q. 


What value is this expression equal to? 

(J-Bob/step (prelude) 

’ (if a c c) 

’()) 


14 


The value, 

’ (if a c c) 

which represents the expression we start 
with in frame 5 of chapter 2. 


What value is this expression equal to? 

(J-Bob/step (prelude) 

’ (if a c c) 

’((() (if-same a c)))) 


The value, 


which represents the result of the rewrite 
in frame 5 of chapter 2. 
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What value is this expression equal to? 


The value, 


(J-Bob/step (prelude) 

’ (if a c c) 

’((() (if-same a c)) 

(() 

(if-same 

(if (equal a ’t) 

(if (equal ’nil ’nil) a b) 

(equal ’or 

(cons ’black ’(coffee)))) 

c)))) 


’(if (if (equal a ’t) 

(if (equal ’nil ’nil) 
a 
b) 

(equal ’or 

(cons ’black ’(coffee)))) 


c) 


which represents the result of the rewrite 


in frame 7 of chapter 2. 


What value is this expression equal to? 

(J-Bob/step (prelude) 

’ (if a c c) 

’((() (if-same a c)) 

(() 

(if-same 

(if (equal a ’t) 

(if (equal ’nil ’nil) 
a 
b) 

(equal ’or 

(cons ’black ’(coffee)))) 
c)) 

((Q E 2) (cons ’black ’(coffee))))) 


17 


The value, 


(if (if 


(equal a ’t) 

(if (equal ’nil ’nil) 
a 
b) 

(equal ’or 

’(black coffee))) 


c) 


which represents the result of the rewrite 
in frame 7 of chapter 2. But how does 
J-Bob find this value? 


How do we find the step in frame 7 of 
chapter 2? 


We use cons on 'black and '(coffee) in the 
focus. 


Does J-Bob have that information? 


Yes, we see cons with arguments ’black 
and ’ (coffee). But what about the 
focus? 


An excellent question. Where is the 
focus in frame 11 of chapter 2? 


20 


Inside the question of the outer if, in the 
else of the middle if, in the second 
argument to the outer cons. 
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21 


(Q E 1), right? 


Exactly. The (Q E 2) in the proof step 
in frame 17 of chapter 2 describes the 
path to this focus: in the Question of the 
outer if, in the Else of the middle if, 
and in the 2nd argument of the outer 
cons. How would we find the focus in 
the first argument of the outer cons? 

Yes. What value is this expression equal 
to? 

(J-Bob/step (prelude) 

’ (if a c c) 

’((() (if-same a c)) 

(() 

(if-same 

(if (equal a ’t) 

(if (equal ’nil ’nil) 
a 
b) 

(equal ’or 

(cons ’black ’(coffee)))) 
c)) 

((Q E 2) (cons ’black ’(coffee))) 

((Q A Q) (equal-same ’nil)))) 


As expected, the result of the rewrite in 
frame 12 of chapter 2. 

’(if (if (equal a ’t) 

(if ’t 
a 
b) 

(equal ’or 

’(black coffee))) 
c 
c) 


One more time. We expected the result of the rewrite in 

frame 14 of chapter 2, but instead the 
expression has not changed from 
frame 22 of chapter 2. Why? 

’(if (if (equal a ’t) 

(if ’t a b) 

(equal ’or 

’(black coffee))) 
c 
c) 


(J-Bob/step (prelude) 

’ (if a c c) 

’((() (if-same a c)) 

(() 

(if-same 

(if (equal a ’t) 

(if (equal ’nil ’nil) 


a 

b) 

(equal ’or 

(cons ’black ’(coffee)))) 
c)) 

((Q E 2) (cons ’black ’(coffee))) 

((Q A Q) (equal-same ’nil)) 

((Q A 2) (if-true a b)))) 
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What is the path to this focus in 
frame 14 of chapter 2? 


24 


This focus is in the question of the outer 
if and in the else of the middle if. 


And what path do we give J-Bob/step 
for the last step in frame 23 of chapter 2? 


(Q E 2), 

which means in the Q of the outer if, 
in the E of the middle if, and in the 
2nd argument of an application. But 
there is no application there! 


Exactly. J-Bob stops when a step is That is quite useful to know. 

incorrect, and does not perform any 

more rewrites. The J-Bob/step function 

returns whatever expression it has when 

it encounters the invalid step. 


Just once more; this time for certain. And this time, we get the right result. 

Now we have the correct path for the 

rewrite. 


(J-Bob/step (prelude) 

’ (if a c c) 

’((() (if-same a c)) 

(() 

(if-same 

(if (equal a ’t) 

(if (equal ’nil ’nil) 
a 
b) 

(equal ’or 

(cons ’black ’(coffee)))) 
c)) 

((Q E 2) (cons ’black ’(coffee))) 

((Q A Q) (equal-same ’nil)) 

((Q A) (if-true a b)))) 


’(if (if (equal a ’t) 

a 

(equal ’or 

’(black coffee))) 
c 
c) 


How does J-Bob arrive at this step? The step ( (Q A) (if-true a b)) 

describes the focus in the question of the 
outer if and the answer of the middle if 
as (Q A). The axiom to use is if-true 
and its arguments are a and b. 
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What value is this expression equal to? 


29 


A representation of the expression J t. 


(J-Bob/prove (prelude) 
’()) 


What value is this expression equal to? Also ”t. But why? What are the two 

arguments to J-Bob/prove? 

(J-Bob/prove (prelude) ’ ’t 

’(((defun pair (x y) 

(cons x (cons y ’()))) 
nil))) 

31 

The first argument is a list of definitions, Why does J-Bob/prove return ”t? 
and the second argument is a list of proof 
attempts. Each proof attempt starts with 
a definition and a seed. A seed is extra 
information outside of the definition used 
to generate the claim that must be 
proved. For the kinds of proofs we see in 
chapter 3, the seed is always nil. In later 
chapters, we see other kinds of seeds. 

The result of J-Bob/prove in frame 30 
of chapter 3 is ”t because the given 
defun is non-recursive; the only proof 
attempt therefore succeeds. 


What value is this expression equal to? Still ”t, because first-of and 

second-of are non-recursive. 

(J-Bob/prove (prelude) ’’t 

’(((defun pair (x y) 

(cons x (cons y ’()))) 
nil) 

((defun first-of (x) 

(car x)) 
nil) 

((defun second-of (x) 

(car (cdr x))) 
nil))) 
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What value is this expression equal to? 


34 


(J-Bob/prove (prelude) 

’(((defun pair (x y) 

(cons x (cons y ’()))) 
nil) 

((defun first-of (x) 

(car x)) 
nil) 

((defun second-of (x) 

(car (cdr x))) 
nil) 

((dethm first-of-pair (a b) 

(equal (first-of (pair a b)) 
nil))) 


a)) 


The body of first-of-pair, because we 
have not proved the theorem. 

’(equal (first-of (pair a b)) a) 


What value is this expression equal to? 


35 


(J-Bob/prove (prelude) 
’(((defun pair (x y) 
(cons x (cons y 
nil) 


()))) 


((defun first-of (x) 

(car x)) 
nil) 

((defun second-of (x) 

(car (cdr x))) 
nil) 

((dethm first-of-pair (a b) 

(equal (first-of (pair a b)) 
nil 

((1 1) (pair a b))))) 


a)) 


It is a representation of the result of the 
rewrite in frame 12 of chapter 3. 

’(equal (first-of (cons a (cons b ’()))) a) 


And why? 


36 


Perhaps because we have one step in the 
proof attempt for first-of-pair. 


Precisely. As we add steps to a proof, Handy. 

J-Bob performs the rewrites in order. 
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What value is this expression equal to? ”t again, because the second argument 

to J-Bob/prove includes a complete 
proof of f irst-of-pair. 

(J-Bob/prove (prelude) ’ J t 

’(((defun pair (x y) 

(cons x (cons y ’()))) 
nil) 

((defun first-of (x) 

(car x)) 
nil) 

((defun second-of (x) 

(car (cdr x))) 
nil) 

((dethm first-of-pair (a b) 

(equal (first-of (pair a b)) a)) 
nil 

((1 1) (pair a b)) 

((1) (first-of (cons a (cons b ’())))) 

((1) (car/cons a (cons b ’()))) 

(() (equal-same a))))) 


Now we have proved a theorem with What if we want to prove more? 

J-Bob. 


We can add more proofs to the second Does the second argument keep growing 

argument of J-Bob/prove. forever? 


Perhaps. But we can also use How does that work? 

J-Bob/define if we want to record our 
proofs so far. 


Recess 


173 







42 


Then what? 


We replace J-Bob/prove with 
J-Bob/def ine, which produces a list of 
all the theorems we know or have proved 
so far. We put this expression in a 
defun, here named 

prelude+first-of-pair, to record our 
work. 

(defun prelude+first-of-pair () 

(J-Bob/define (prelude) 

’(((defun pair (x y) 

(cons x (cons y ’()))) 
nil) 

((defun first-of (x) 

(car x)) 
nil) 

((defun second-of (x) 

(car (cdr x))) 
nil) 

((dethm first-of-pair (a b) 

(equal (first-of (pair a b)) a)) 
nil 

((1 1) (pair a b)) 

((1) (first-of (cons a (cons b ’())))) 
((1) (car/cons a (cons b ’()))) 

(() (equal-same a)))))) 


Once we record our work with 
J-Bob/def ine, we can use it to start a 
new proof attempt. For example, what 
value is this expression equal to? 

(J-Bob/prove (prelude) ’’nil 

’(((dethm second-of-pair (a b) 

(equal (second-of (pair a b)) b)) 
nil))) 


Can we prove second-of-pair based Of course not. We need the definitions of 

only on the prelude? second-of and pair that are saved in 

prelude+first-of-pair to prove 
second-of-pair. 


That is not what we expect. What is 
wrong? 
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In order to use the definitions in 
prelude+first-of-pair, we must pass 
them as the first argument to 
J-Bob/prove. 

(J-Bob/prove (prelude+first-of-pair) 
’(((dethm second-of-pair (a b) 

(equal (second-of (pair a b)) b)) 
nil))) 


And now we start a proof attempt for 
second-of-pair. 


’(equal (second-of (pair a b)) b) 


What if we give several proof attempts Does J-Bob ignore the first two dethms? 
to J-Bob/prove without finishing them? 

(J-Bob/prove (prelude+first-of-pair) ’(equal (in-pair? (pair a ’?)) ’t) 

’(((dethm second-of-pair (a b) 

(equal (second-of (pair a b)) b)) 
nil) 

((defun in-pair? (xs) 

(if (equal (first-of xs) ’?) 

’t 

(equal (second-of xs) ’?))) 

nil) 

((dethm in-first-of-pair (b) 

(equal (in-pair? (pair ’? b)) ’t)) 
nil) 

((dethm in-second-of-pair (a) 

(equal (in-pair? (pair a ’?)) ’t)) 
nil))) 


J-Bob/prove shows us the expression That makes sense. Does J-Bob/define 

from the last unfinished proof attempt, start at the last proof, too? 
but we must finish all the proofs to get 
”t. 


J-Bob/define only includes a definition Got it. 

in its result when it has been completely 

proved, including everything that comes 

before it. Use J-Bob/prove to work on 

unfinished proofs, then use 

J-Bob/define when the proofs are 

finished. 
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Below, we include complete proofs that 
are certified by J-Bob. 


49 


We can’t wait to play along. 


What value is this expression equal to? A representation of the expression ’nil. 

Is that because list? is recursive? 

(J-Bob/prove (prelude) ’’nil 

’(((defun list? (x) 

(if (atom x) 

(equal x ’()) 

(list? (cdr x)))) 

nil))) 


Exactly. J-Bob won’t give us ”t until we How do we do that? 
prove each defun total. 


We must pass the measure of list?, 
defined in frame 69 of chapter 4, as the 
seed of our proof attempt. What does 
J-Bob/prove produce? 

(J-Bob/prove (prelude) 

’(((defun list? (x) 

(if (atom x) 

(equal x ’() ) 

(list? (cdr x)))) 

(size x)))) 


A representation of the totality claim for 
list?. 


’(if (natp (size x)) 

(if (atom x) 

’t 

(< (size (cdr x)) (size x))) 
’nil) 
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53 


Sensible. 


We prove a totality claim from a defun 
by adding proof steps, just like any other 
claim. 

(J-Bob/prove (prelude) 5 

’(((defun list? (x) 

(if (atom x) 

(equal x ’ () ) 

(list? (cdr x)))) 

(size x) 

((Q) (natp/size x)) 

(() 

(if-true 

(if (atom x) 

’t 

(< (size (cdr x)) (size x))) 

’nil)) 

((E) (size/cdr x)) 

(() (if-same (atom x) ’t))))) 


Can we prove totality of memb? and remb 
using J-Bob? 


54 


Perhaps. Is that difficult? 


Not at all. We use the measure 
expressions of memb? and remb as the 
seed for their respective proof attempts 

(J-Bob/prove (prelude) 

’(((defun memb? (xs) 

(if (atom xs) 

’nil 

(if (equal (car xs) ’?) 


55 


But it appears we must still fill in the 
proof steps. 


(if (natp (size xs)) 
(if (atom xs) 


(< (size (cdr xs)) (size xs))) 


nil) 


(memb? (cdr xs))))) 

(size xs)) 

((defun remb (xs) 

(if (atom xs) 

’() 

(if (equal (car xs) ’?) 
(remb (cdr xs)) 

(cons (car xs) (remb 
(size xs)))) 


(cdr xs)))))) 
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Naturally. 
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We can use prelude+f irst-of-pair, or 
we can use prelude if we do not need 
the definitions of pair, first-of, and 
first-of-pair. 


57 


Certainly. We can save the definitions as 
prelude+memb?+remb with 
J-Bob/define. 
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Are we ready to try induction with 
J-Bob? 


59 



Then we must use list-induct ion in 
the seed of our proof attempt and give a 
single variable name for the list we want 
to consider for induction. We should also 
remember to start off with memb? and 
remb from chapter5. 


61 


(J-Bob/prove (chapter5) 
’(((dethm memb?/remb (xs) 

(equal (memb? (remb xs)) 
(list-induction xs)))) 


’nil)) 


After we generate the inductive claim, 
we just add steps to the proof until it is 
done. 


62 
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Do we need to start from 
prelude+f irst-of-pair instead of 
prelude? 

And can we save our work when we have 
proved memb? and remb are total? 


Good. 


Ready and eager. 


Of course. 


And then? 


5 (if (atom xs) 

(equal (memb? (remb xs)) ’nil) 

(if (equal (memb? (remb (cdr xs))) ’nil) 
(equal (memb? (remb xs)) ’nil) 

’t)) 


That’s not hard at all. 
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Ready to do more induction with J-Bob? We are star-struck. 



Star Induction works similarly to List 
Induction. Use star-induct ion in the 
seed for a dethm and name the variable 
on which to do induction. 

(J-Bob/prove (prelude) 

’(((defun sub (x y) 

(if (atom y) 

(if (equal y ’?) x y) 

(cons (sub x (car y)) 

(sub x (cdr y))))) 

(size y)) 

((defun ctx? (x) 

(if (atom x) 

(equal x ’?) 

(if (ctx? (car x)) 

’t 

(ctx? (cdr x))))) 

(size x)) 

((dethm ctx?/sub (x y) 

(if (ctx? x) 

(if (ctx? y) 

(equal (ctx? (sub x y)) ’t) 
’t) 

’t)) 

(star-induction y)))) 


5 (if (atom y) 

(if (ctx? x) 

(if (ctx? y) 

(equal (ctx? (sub x y)) ’t) 

’t) 

’t) 

(if (if (ctx? x) 

(if (ctx? (car y)) 

(equal 

(ctx? (sub x (car y))) 

’t) 

’t) 

’t) 

(if (if (ctx? x) 

(if (ctx? (cdr y)) 

(equal 

(ctx? (sub x (cdr y))) 
’t) 

’t) 

’t) 

(if (ctx? x) 

(if (ctx? y) 

(equal 

(ctx? (sub x y)) 

’t) 

’t) 

’t) 

’t) 

’t)) 


Do we already know how to do Defun Yes, we do it in frames 61 and 64. The 

Induction with J-Bob? functions list-induct ion and 

star-induct ion are defined in prelude 
on page 214. 
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Chapter 1 Examples 

(defun chapterl.example1 () 

(J-Bob/step (prelude) 

’(car (cons ’ham ’(eggs))) 

’(((1) (cons ’ham ’(eggs))) 

(() (car ’(ham eggs)))))) 

(defun chapterl.example2 () 

(J-Bob/step (prelude) 

’(atom ’()) 

’((() (atom ’()))))) 

(defun chapterl.example3 () 

(J-Bob/step (prelude) 

’(atom (cons ’ham ’(eggs))) 

’(((1) (cons ’ham ’(eggs))) 

(() (atom ’(ham eggs)))))) 

(defun chapterl.example4 () 

(J-Bob/step (prelude) 

’(atom (cons a b)) 

’((() (atom/cons a b))))) 

(defun chapterl.example5 () 

(J-Bob/step (prelude) 

’(equal ’flapjack (atom (cons a b))) 

’(((2) (atom/cons a b)) 

(() (equal ’flapjack ’nil))))) 

(defun chapterl.example6 () 

(J-Bob/step (prelude) 

’(atom (cdr (cons (car (cons p q)) ’()))) 

’(((1 1 1) (car/cons p q)) 

((1) (cdr/cons p ’())) 

(() (atom ’()))))) 

(defun chapterl.example7 () 

(J-Bob/step (prelude) 

’(atom (cdr (cons (car (cons p q)) ’()))) 

’(((1) (cdr/cons (car (cons p q)) ’())) 

(() (atom ’()))))) 

(defun chapterl.example8 () 

(J-Bob/step (prelude) 

’(car (cons (equal (cons x y) (cons x y)) ’(and crumpets))) 

’(((1 1) (equal-same (cons x y))) 

((1) (cons ’t ’(and crumpets))) 

(() (car ’(t and crumpets)))))) 

(defun chapterl.example9 () 

(J-Bob/step (prelude) 

’(equal (cons x y) (cons ’bagels ’(and lox))) 

’((() (equal-swap (cons x y) (cons ’bagels ’(and lox))))))) 

(defun chapterl.example10 () 

(J-Bob/step (prelude) 

’(cons y (equal (car (cons (cdr x) (car y))) (equal (atom x) ’nil))) 
’(((2 1) (car/cons (cdr x) (car y)))))) 
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(defun chapterl.example11 () 

(J-Bob/step (prelude) 

’(cons y (equal (car (cons (cdr x) (car y))) (equal (atom x) ’nil))) 

’(((2 1) (car/cons (car (cons (cdr x) (car y))) ’(oats))) 

((2 2 2) (atom/cons (atom (cdr (cons a b))) (equal (cons a b) c))) 

((222 1 1 1) (cdr/cons a b)) 

((22212) (equal-swap (cons a b) c))))) 

(defun chapterl.example12 () 

(J-Bob/step (prelude) 

’(atom (car (cons (car a) (cdr b)))) 

’(((1) (car/cons (car a) (cdr b)))))) 

Chapter 2 Examples 

(defun chapter2.example1 () 

(J-Bob/step (prelude) 

’(if (car (cons a b)) c c) 

’(((Q) (car/cons a b)) 

(() (if-same a c)) 

(() 

(if-same 

(if (equal a ’t) (if (equal ’nil ’nil) a b) (equal ’or (cons ’black ’(coffee)))) 
c)) 

((Q E 2) (cons ’black ’(coffee))) 

((Q A Q) (equal-same ’nil)) 

((Q A) (if-true a b)) 

((Q A) (equal-if a ’t))))) 

(defun chapter2.example2 () 

(J-Bob/step (prelude) 

’(if (atom (car a)) 

(if (equal (car a) (cdr a)) ’hominy ’grits) 

(if (equal (cdr (car a)) ’(hash browns)) 

(cons ’ketchup (car a)) 

(cons ’mustard (car a)))) 

’(((E A 2) (cons/car+cdr (car a))) 

((E A 2 2) (equal-if (cdr (car a)) ’(hash browns)))))) 

(defun chapter2.example3 () 

(J-Bob/step (prelude) 

’(cons ’statement 

(cons (if (equal a ’question) (cons n ’(answer)) (cons n ’(else))) 

(if (equal a ’question) (cons n ’(other answer)) (cons n ’(other else))))) 

’((( 2 ) 

(if-same (equal a ’question) 

(cons (if (equal a ’question) (cons n ’(answer)) (cons n ’(else))) 

(if (equal a ’question) (cons n ’(other answer)) (cons n ’(other else)))))) 

((2 A 1) (if-nest-A (equal a ’question) (cons n ’(answer)) (cons n ’(else)))) 

((2 E 1) (if-nest-E (equal a ’question) (cons n ’(answer)) (cons n ’(else)))) 

((2 A 2) 

(if-nest-A (equal a ’question) (cons n ’(other answer)) (cons n ’(other else)))) 
((2 E 2) 

(if-nest-E (equal a ’question) 

(cons n ’(other answer)) 

(cons n ’(other else))))))) 
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Chapter 3 Proofs 


(defun defun.pair () 

(J-Bob/define (prelude) 

’(((defun pair (x y) 

(cons x (cons y ’()))) 
nil)))) 

(defun defun.first-of () 

(J-Bob/define (defun.pair) 

’(((defun first-of (x) 

(car x)) 
nil)))) 

(defun defun.second-of () 

(J-Bob/define (defun.first-of) 

’(((defun second-of (x) 

(car (cdr x))) 
nil)))) 

(defun dethm.first-of-pair () 

(J-Bob/define (defun.second-of) 

’(((dethm first-of-pair (a b) 

(equal (first-of (pair a b)) a)) 
nil 

((1 1) (pair a b)) 

((1) (first-of (cons a (cons b ’())))) 

((1) (car/cons a (cons b ’()))) 

(() (equal-same a)))))) 

(defun dethm.second-of-pair () 

(J-Bob/define (dethm.first-of-pair) 

’(((dethm second-of-pair (a b) 

(equal (second-of (pair a b)) b)) 
nil 

((1) (second-of (pair a b))) 

((1 1 1) (pair a b)) 

((1 1) (cdr/cons a (cons b ’()))) 

((1) (car/cons b ’())) 

(() (equal-same b)))))) 

(defun defun.in-pair? () 

(J-Bob/define (dethm.second-of-pair) 

’(((defun in-pair? (xs) 

(if (equal (first-of xs) ’?) ’t (equal (second-of xs) ’?))) 
nil)))) 

(defun dethm.in-first-of-pair () 

(J-Bob/define (defun.in-pair?) 

’(((dethm in-first-of-pair (b) 

(equal (in-pair? (pair ’? b)) ’t)) 
nil 

((1 1) (pair ’? b)) 

((1) (in-pair? (cons ’? (cons b ’())))) 

((1 Q 1) (first-of (cons ’? (cons b ’())))) 

((1 Q 1) (car/cons ’? (cons b ’()))) 

((1 Q) (equal-same ’?)) 

((1) (if-true ’t (equal (second-of (cons ’? (cons b ’()))) ’?))) 
(() (equal-same ’t)))))) 
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(defun dethm.in-second-of-pair () 

(J-Bob/define (dethm.in-first-of-pair) 

’(((dethm in-second-of-pair (a) 

(equal (in-pair? (pair a ’?)) ’t)) 
nil 

((1 1) (pair a ’?)) 

((1) (in-pair? (cons a (cons ’? ’())))) 

((1 Q 1) (first-of (cons a (cons ’? ’())))) 

((1 Q 1) (car/cons a (cons ’? ’()))) 

((1 E 1) (second-of (cons a (cons ’? ’())))) 
((1 Ell) (cdr/cons a (cons ’? ’()))) 

((1 E 1) (car/cons ’? ’())) 

((1 E) (equal-same ’?)) 

((1) (if-same (equal a ’?) ’t)) 

(() (equal-same ’t)))))) 


Chapter 4 Proofs 

(defun defun.listO? () 

(J-Bob/define (dethm.in-second-of-pair) 

’(((defun listO? (x) 

(equal x ’())) 
nil)))) 

(defun defun.listl? () 

(J-Bob/define (defun.listO?) 

’(((defun listl? (x) 

(if (atom x) ’nil (listO? (cdr x)))) 
nil)))) 

(defun defun.Iist2? () 

(J-Bob/define (defun.listl?) 

’(((defun list2? (x) 

(if (atom x) ’nil (listl? (cdr x)))) 
nil)))) 

(defun dethm.contradiction () 

(J-Bob/prove 

(list-extend (prelude) 

’(defun partial (x) 

(if (partial x) ’nil ’t))) 

’(((dethm contradiction () ’nil) 
nil 

(() (if-same (partial x) ’nil)) 

((A) (if-nest-A (partial x) ’nil ’t)) 

((E) (if-nest-E (partial x) ’t ’nil)) 

((A Q) (partial x)) 

((E Q) (partial x)) 

((A Q) (if-nest-A (partial x) ’nil ’t)) 

((E Q) (if-nest-E (partial x) ’nil ’t)) 

((A) (if-false ’nil ’t)) 

((E) (if-true ’t ’nil)) 

(() (if-same (partial x) ’t)))))) 
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(defun defun.list? () 

(J-Bob/define (defun.Iist2?) 

’(((defun list? (x) 

(if (atom x) (equal x ’()) (list? (cdr x)))) 

(size x) 

((Q) (natp/size x)) 

(() (if-true (if (atom x) ’t (< (size (cdr x)) (size x))) ’nil)) 

((E) (size/cdr x)) 

(() (if-same (atom x) ’t)))))) 

(defun defun.sub () 

(J-Bob/define (defun.list?) 

’(((defun sub (x y) 

(if (atom y) (if (equal y ’?) x y) (cons (sub x (car y)) (sub x (cdr y))))) 
(size y) 

((Q) (natp/size y)) 

(() 

(if-true 

(if (atom y) 

’t 

(if (< (size (car y)) (size y)) (< (size (cdr y)) (size y)) ’nil)) 

’nil)) 

((E Q) (size/car y)) 

((E A) (size/cdr y)) 

((E) (if-true ’t ’nil)) 

(() (if-same (atom y) ’t)))))) 

Chapter 5 Proofs 

(defun defun.memb? () 

(J-Bob/define (defun.sub) 

’(((defun memb? (xs) 

(if (atom xs) ’nil (if (equal (car xs) ’?) ’t (memb? (cdr xs))))) 

(size xs) 

((Q) (natp/size xs)) 

(() 

(if-true 

(if (atom xs) ’t (if (equal (car xs) ’?) ’t (< (size (cdr xs)) (size xs)))) 
’nil)) 

((E E) (size/cdr xs)) 

((E) (if-same (equal (car xs) ’?) ’t)) 

(() (if-same (atom xs) ’t)))))) 

(defun defun.remb () 

(J-Bob/define (defun.memb?) 

’(((defun remb (xs) 

(if (atom xs) 

’() 

(if (equal (car xs) ’?) (remb (cdr xs)) (cons (car xs) (remb (cdr xs)))))) 
(size xs) 

((Q) (natp/size xs)) 

(() (if-true (if (atom xs) ’t (< (size (cdr xs)) (size xs))) ’nil)) 

((E) (size/cdr xs)) 

(() (if-same (atom xs) ’t)))))) 
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(defun dethm.memb?/rembO () 

(J-Bob/define (defun.remb) 

’(((dethm memb?/rembO () 

(equal (memb? (remb ’())) ’nil)) 
nil 

((1 1) (remb ’())) 

((1 1 Q) (atom ’())) 

((1 1 ) 

(if-true ’() 

(if (equal (car ’()) ’?) (remb (cdr ’())) (cons (car ’()) (remb (cdr ’())))))) 
((1) (memb? ’())) 

((1 Q) (atom ’())) 

((1) (if-true ’nil (if (equal (car ’()) ’?) ’t (memb? (cdr ’()))))) 

(() (equal-same ’nil)))))) 

(defun dethm.memb?/rembl () 

(J-Bob/define (dethm.memb?/rembO) 

’(((dethm memb?/rembl (xl) 

(equal (memb? (remb (cons xl ’()))) ’nil)) 
nil 

((1 1) (remb (cons xl ’()))) 

((1 1 Q) (atom/cons xl ’())) 

((1 1 ) 

(if-false ’() 

(if (equal (car (cons xl ’())) ’?) 

(remb (cdr (cons xl ’()))) 

(cons (car (cons xl ’())) (remb (cdr (cons xl ’()))))))) 

((1 1 Q 1) (car/cons xl ’())) 

((1 1 A 1) (cdr/cons xl ’())) 

((1 1 E 1) (car/cons xl ’())) 

((1 1 E 2 1) (cdr/cons xl ’())) 

(( 1 ) 

(if-same (equal xl ’?) 

(memb? (if (equal xl ’?) (remb ’()) (cons xl (remb ’())))))) 

((1 A 1) (if-nest-A (equal xl ’?) (remb ’()) (cons xl (remb ’())))) 

((1 E 1) (if-nest-E (equal xl ’?) (remb ’()) (cons xl (remb ’())))) 

((1 A) (memb?/rembO)) 

((1 E) (memb? (cons xl (remb ’())))) 

((1 E Q) (atom/cons xl (remb ’()))) 

((1 E) 

(if-false ’nil 

(if (equal (car (cons xl (remb ’()))) ’?) 

’t 

(memb? (cdr (cons xl (remb ’()))))))) 

((1 E Q 1) (car/cons xl (remb ’()))) 

((1 EE 1) (cdr/cons xl (remb ’()))) 

((1 E) (if-nest-E (equal xl ’?) ’t (memb? (remb ’())))) 

((1 E) (memb?/rembO)) 

((1) (if-same (equal xl ’?) ’nil)) 

(() (equal-same ’nil)))))) 

(defun dethm.memb?/remb2 () 

(J-Bob/define (dethm.memb?/rembl) 

’(((dethm memb?/remb2 (xl x2) 

(equal (memb? (remb (cons x2 (cons xl ’())))) ’nil)) 
nil 
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((1 1) (remb (cons x2 (cons xl ’())))) 

((1 1 Q) (atom/cons x2 (cons xl ’()))) 

((1 1 ) 

(if-false ’() 

(if (equal (car (cons x2 (cons xl ’()))) ’?) 

(remb (cdr (cons x2 (cons xl ’())))) 

(cons (car (cons x2 (cons xl ’()))) 

(remb (cdr (cons x2 (cons xl ’ ())))))))) 

((1 1 Q 1) (car/cons x2 (cons xl ’()))) 

((1 1 A 1) (cdr/cons x2 (cons xl ’()))) 

((1 1 E 1) (car/cons x2 (cons xl ’()))) 

((1 1 E 2 1) (cdr/cons x2 (cons xl ’()))) 

(( 1 ) 

(if-same (equal x2 ’?) 

(memb? 

(if (equal x2 ’?) (remb (cons xl ’())) (cons x2 (remb (cons xl ’()))))))) 


((1 A 1) 

(if-nest-A (equal x2 ’?) (remb (cons xl ’())) (cons x2 
((1 E 1) 

(if-nest-E (equal x2 ’?) (remb (cons xl ’())) (cons x2 
((1 A) (memb?/rembl xl)) 

((1 E) (memb? (cons x2 (remb (cons xl ’()))))) 

((1 E Q) (atom/cons x2 (remb (cons xl ’())))) 

((1 E) 

(if-false ’nil 

(if (equal (car (cons x2 (remb (cons xl ’())))) ’?) 


(remb (cons xl 
(remb (cons xl 


’()))))) 

’()))))) 



(memb? (cdr (cons x2 (remb (cons xl ’())))))))) 

((1 E Q 1) (car/cons x2 (remb (cons xl ’())))) 

((1 EE 1) (cdr/cons x2 (remb (cons xl ’())))) 

((1 E) (if-nest-E (equal x2 ’?) ’t (memb? (remb (cons xl ’()))))) 
((1 E) (memb?/rembl xl)) 

((1) (if-same (equal x2 ’?) ’nil)) 

(() (equal-same ’nil)))))) 


Chapter 6 Proofs 

(defun dethm.memb?/remb () 

(J-Bob/define (dethm.memb?/remb2) 

’(((dethm memb?/remb (xs) 

(equal (memb? (remb xs)) ’nil)) 

(list-induction xs) 

((A 1 1) (remb xs)) 

((A 1 1) 

(if-nest-A (atom xs) 

’() 

(if (equal (car xs) ’?) (remb (cdr xs)) (cons (car xs) (remb (cdr xs)))))) 
((A 1) (memb? ’())) 

((A 1 Q) (atom ’())) 

((A 1) (if-true ’nil (if (equal (car ’()) ’?) ’t (memb? (cdr ’()))))) 

((A) (equal-same ’nil)) 

((E A 1 1) (remb xs)) 
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((E A 1 1) 

(if-nest-E (atom xs) 

’() 

(if (equal (car xs) ’?) (remb (cdr xs)) (cons (car xs) (remb (cdr xs)))))) 

((E A 1) 

(if-same (equal (car xs) ’?) 

(memb? 

(if (equal (car xs) ’?) (remb (cdr xs)) (cons (car xs) (remb (cdr xs))))))) 
((E A 1 A 1) 

(if-nest-A (equal (car xs) ’?) (remb (cdr xs)) (cons (car xs) (remb (cdr xs))))) 
((E A 1 E 1) 

(if-nest-E (equal (car xs) ’?) (remb (cdr xs)) (cons (car xs) (remb (cdr xs))))) 
((E A 1 A) (equal-if (memb? (remb (cdr xs))) ’nil)) 

((E A 1 E) (memb? (cons (car xs) (remb (cdr xs))))) 

((E A 1 E Q) (atom/cons (car xs) (remb (cdr xs)))) 

((E A 1 E) 

(if-false ’nil 

(if (equal (car (cons (car xs) (remb (cdr xs)))) ’?) 

’t 

(memb? (cdr (cons (car xs) (remb (cdr xs)))))))) 

((E A 1 E Q 1) (car/cons (car xs) (remb (cdr xs)))) 

((E A 1 EE 1) (cdr/cons (car xs) (remb (cdr xs)))) 

((E A 1 E) (if-nest-E (equal (car xs) ’?) ’t (memb? (remb (cdr xs))))) 

((E A 1 E) (equal-if (memb? (remb (cdr xs))) ’nil)) 

((E A 1) (if-same (equal (car xs) ’?) ’nil)) 

((E A) (equal-same ’nil)) 

((E) (if-same (equal (memb? (remb (cdr xs))) ’nil) ’t)) 

(() (if-same (atom xs) ’t)))))) 

Chapter 7 Proofs 

(defun defun.ctx? () 

(J-Bob/define (dethm.memb?/remb) 

’(((defun ctx? (x) 

(if (atom x) (equal x ’?) (if (ctx? (car x)) ’t (ctx? (cdr x))))) 

(size x) 

((Q) (natp/size x)) 

(() 

(if-true 

(if (atom x) 

’t 

(if (< (size (car x)) (size x)) 

(if (ctx? (car x)) ’t (< (size (cdr x)) (size x))) 

’nil)) 

’nil)) 

((E Q) (size/car x)) 

((E A E) (size/cdr x)) 

((E A) (if-same (ctx? (car x)) ’t)) 

((E) (if-true ’t ’nil)) 

(() (if-same (atom x) ’t)))))) 

(defun dethm.ctx?/sub () 

(J-Bob/define (defun.ctx?) 

’(((dethm ctx?/t (x) 

(if (ctx? x) (equal (ctx? x) ’t) ’t)) 
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(star-induction x) 

((A A 1) (ctx? x)) 

((A A 1) (if-nest-A (atom x) (equal x ’?) (if (ctx? (car x)) ’t (ctx? (cdr x))))) 
((A Q) (ctx? x)) 

((A Q) (if-nest-A (atom x) (equal x ’?) (if (ctx? (car x)) 5 t (ctx? (cdr x))))) 
((A A 1 1) (equal-if x ’?)) 

((A A 1) (equal-same ’?)) 

((A A) (equal-same ’t)) 

((A) (if-same (equal x ’?) 5 t)) 

((E A A A 1) (ctx? x)) 

((E A A A 1) 

(if-nest-E (atom x) (equal x ’?) (if (ctx? (car x)) ’t (ctx? (cdr x))))) 

((E) 

(if-same (ctx? (car x)) 

(if (if (ctx? (car x)) (equal (ctx? (car x)) ’t) ’t) 

(if (if (ctx? (cdr x)) (equal (ctx? (cdr x)) ’t) ’t) 

(if (ctx? x) (equal (if (ctx? (car x)) ’t (ctx? (cdr x))) ’t) ’t) 

’t) 

’t))) 

((E A Q) (if-nest-A (ctx? (car x)) (equal (ctx? (car x)) ’t) ’t)) 

((E A A A A 1) (if-nest-A (ctx? (car x)) ’t (ctx? (cdr x)))) 

((E E Q) (if-nest-E (ctx? (car x)) (equal (ctx? (car x)) ’t) ’t)) 

((E E A A A 1) (if-nest-E (ctx? (car x)) ’t (ctx? (cdr x)))) 

((E A A A A) (equal-same ’t)) 

((E E) 

(if-true 

(if (if (ctx? (cdr x)) (equal (ctx? (cdr x)) ’t) ’t) 

(if (ctx? x) (equal (ctx? (cdr x)) ’t) ’t) 

’t) 


’t)) 

((E AAA) (if-same (ctx? x) ’t)) 

((E A A) (if-same (if (ctx? (cdr x)) (equal (ctx? (cdr x)) ’t) ’t) ’t)) 
((E A) (if-same (equal (ctx? (car x)) ’t) ’t)) 

((E E A Q) (ctx? x)) 

((E E A Q) 

(if-nest-E (atom x) (equal x ’?) (if (ctx? (car x)) ’t (ctx? (cdr x))))) 
((E E A Q) (if-nest-E (ctx? (car x)) ’t (ctx? (cdr x)))) 

((E E) 

(if-same (ctx? (cdr x)) 

(if (if (ctx? (cdr x)) (equal (ctx? (cdr x)) ’t) ’t) 

(if (ctx? (cdr x)) (equal (ctx? (cdr x)) ’t) ’t) 


J t))) 

((E E A Q) (if-nest-A (ctx? (cdr x)) (equal 
((E E A A) (if-nest-A (ctx? (cdr x)) (equal 
((E E E Q) (if-nest-E (ctx? (cdr x)) (equal 
((E E E A) (if-nest-E (ctx? (cdr x)) (equal 
((E E E) (if-same ’t ’t)) 


(ctx? (cdr x)) ’t) ’t)) 
(ctx? (cdr x)) ’t) ’t)) 
(ctx? (cdr x)) ’t) ’t)) 
(ctx? (cdr x)) ’t) ’t)) 


((E E A A 1) (equal-if (ctx? (cdr x)) 5 t)) 

((E E A A) (equal-same ’t)) 

((E E A) (if-same (equal (ctx? (cdr x)) ’t) ’t)) 

((E E) (if-same (ctx? (cdr x)) ’t)) 

((E) (if-same (ctx? (car x)) ’t)) 

(() (if-same (atom x) ’t))) 

((dethm ctx?/sub (x y) 

(if (ctx? x) (if (ctx? y) (equal (ctx? (sub x y)) ’t) ’t) ’t)) 
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(star-induction y) 

(() 

(if-same (ctx? x) 

(if (atom y) 

(if (ctx? x) (if (ctx? y) (equal (ctx? (sub x y)) ’t) ’t) 5 t) 

(if (if (ctx? x) 

(if (ctx? (car y)) (equal (ctx? (sub x (car y))) ’t) 5 t) 

’t) 

(if (if (ctx? x) 

(if (ctx? (cdr y)) (equal (ctx? (sub x (cdr y))) 5 t) ’t) 

’t) 

(if (ctx? x) (if (ctx? y) (equal (ctx? (sub x y)) ’t) ’t) ’t) 

’t) 

’t)))) 

((A A) (if-nest-A (ctx? x) (if (ctx? y) (equal (ctx? (sub x y)) ’t) ’t) ’t)) 

((A E Q) 

(if-nest-A (ctx? x) (if (ctx? (car y)) (equal (ctx? (sub x (car y))) ’t) ’t) ’t)) 

((A E A Q) 

(if-nest-A (ctx? x) (if (ctx? (cdr y)) (equal (ctx? (sub x (cdr y))) ’t) ’t) ’t)) 

((A E A A) (if-nest-A (ctx? x) (if (ctx? y) (equal (ctx? (sub x y)) ’t) ’t) ’t)) 
((E A) (if-nest-E (ctx? x) (if (ctx? y) (equal (ctx? (sub x y)) ’t) ’t) ’t)) 

((E E Q) 

(if-nest-E (ctx? x) (if (ctx? (car y)) (equal (ctx? (sub x (car y))) ’t) ’t) ’t)) 

((E E A Q) 

(if-nest-E (ctx? x) (if (ctx? (cdr y)) (equal (ctx? (sub x (cdr y))) ’t) ’t) ’t)) 

((E E A A) (if-nest-E (ctx? x) (if (ctx? y) (equal (ctx? (sub x y)) ’t) ’t) ’t)) 
((E E A) (if-same ’t ’t)) 

((E E) (if-same 5 t ’t)) 

((E) (if-same (atom y) ’t)) 

((AAA 1 1) (sub x y)) 

((AAAI 1) 

(if-nest-A (atom y) 

(if (equal y ’?) x y) 

(cons (sub x (car y)) (sub x (cdr y))))) 

((A A A) (if-same (equal y ’?) (equal (ctx? (if (equal y ’?) x y)) ’t))) 

((A A A A 1 1) (if-nest-A (equal y ’?) x y)) 

((A A A E 1 1) (if-nest-E (equal y ’?) x y)) 

((A AAAI) (ctx?/t x)) 

((A A A A) (equal-same ’t)) 

((A A A E 1) (ctx?/t y)) 

((A A A E) (equal-same ’t)) 

((A A A) (if-same (equal y ’?) ’t)) 

((A A) (if-same (ctx? y) ’t)) 

((A E A A A 1 1) (sub x y)) 

((A E A A A 1 1) 

(if-nest-E (atom y) 

(if (equal y ’?) x y) 

(cons (sub x (car y)) (sub x (cdr y))))) 

((A E A A A 1) (ctx? (cons (sub x (car y)) (sub x (cdr y))))) 

((A E A A A 1 Q) (atom/cons (sub x (car y)) (sub x (cdr y)))) 

((AEAAA1EQ1) (car/cons (sub x (car y)) (sub x (cdr y)))) 

((A E A A A 1 EE 1) (cdr/cons (sub x (car y)) (sub x (cdr y)))) 
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((A E A A A 1) 

(if-false (equal (cons (sub x (car y)) (sub x (cdr y))) ’?) 

(if (ctx? (sub x (car y))) ’t (ctx? (sub x (cdr y)))))) 

((A E A A Q) (ctx? y)) 

((A E A A Q) 

(if-nest-E (atom y) (equal y ’?) (if (ctx? (car y)) ’t (ctx? (cdr y))))) 

((A E) 

(if-same (ctx? (car y)) 

(if (if (ctx? (car y)) (equal (ctx? (sub x (car y))) ’t) ’t) 

(if (if (ctx? (cdr y)) (equal (ctx? (sub x (cdr y))) ’t) ’t) 

(if (if (ctx? (car y)) ’t (ctx? (cdr y))) 

(equal (if (ctx? (sub x (car y))) 5 t (ctx? (sub x (cdr y)))) 5 t) 
’t) 

’t) 

’t))) 

((A E A Q) (if-nest-A (ctx? (car y)) (equal (ctx? (sub x (car y))) ’t) ’t)) 

((A E A A A Q) (if-nest-A (ctx? (car y)) ’ t (ctx? (cdr y)))) 

((A E E Q) (if-nest-E (ctx? (car y)) (equal (ctx? (sub x (car y))) ’t) ’t)) 

((A E E A A Q) (if-nest-E (ctx? (car y)) 5 t (ctx? (cdr y)))) 

((A E A A A) 

(if-true (equal (if (ctx? (sub x (car y))) ’t (ctx? (sub x (cdr y)))) ’t) ’t)) 
((A E E) 

(if-true 

(if (if (ctx? (cdr y)) (equal (ctx? (sub x (cdr y))) 5 1) ’t) 

(if (ctx? (cdr y)) 

(equal (if (ctx? (sub x (car y))) ’t (ctx? (sub x (cdr y)))) ’t) 

’t) 

’t) 

’t)) 

((A E A A A 1 Q) (equal-if (ctx? (sub x (car y))) ’t)) 

((A E A A A 1) (if-true ’t (ctx? (sub x (cdr y))))) 

((A E A A A) (equal-same ’t)) 

((A E A A) (if-same (if (ctx? (cdr y)) (equal (ctx? (sub x (cdr y))) ’t) ’t) ’t)) 
((A E A) (if-same (equal (ctx? (sub x (car y))) ’t) ’t)) 

((A E E) 

(if-same (ctx? (cdr y)) 

(if (if (ctx? (cdr y)) (equal (ctx? (sub x (cdr y))) 5 1) ’t) 

(if (ctx? (cdr y)) 

(equal (if (ctx? (sub x (car y))) 5 1 (ctx? (sub x (cdr y)))) ’t) 

’t) 

’t))) 

((A E E A Q) (if-nest-A (ctx? (cdr y)) (equal (ctx? (sub x (cdr y))) ’t) ’t)) 

((A E E A A) 

(if-nest-A (ctx? (cdr y)) 

(equal (if (ctx? (sub x (car y))) ’t (ctx? (sub x (cdr y)))) ’t) 

’t)) 

((A E E E Q) (if-nest-E (ctx? (cdr y)) (equal (ctx? (sub x (cdr y))) ’t) ’t)) 

((A E E E A) 

(if-nest-E (ctx? (cdr y)) 

(equal (if (ctx? (sub x (car y))) ’t (ctx? (sub x (cdr y)))) ’t) 

J t)) 

((A E E E) (if-same ’t ’t)) 

((A E E A A 1 E) (equal-if (ctx? (sub x (cdr y))) ’t)) 

((A E E A A 1) (if-same (ctx? (sub x (car y))) ’t)) 
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((A E E A A) (equal-same ’t)) 

((A E E A) (if-same (equal (ctx? (sub x (cdr y))) ’t) ’t)) 

((A E E) (if-same (ctx? (cdr y)) ’t)) 

((A E) (if-same (ctx? (car y)) ’t)) 

((A) (if-same (atom y) ’t)) 

(() (if-same (ctx? x) ’t)))))) 

Chapter 8 Proofs 

(defun defun.member? () 

(J-Bob/define (dethm.ctx?/sub) 

’(((defun member? (x ys) 

(if (atom ys) ’nil (if (equal x (car ys)) ’t (member? x (cdr ys))))) 

(size ys) 

((Q) (natp/size ys)) 

(() 

(if-true 

(if (atom ys) ’t (if (equal x (car ys)) ’t (< (size (cdr ys)) (size ys)))) 
’nil)) 

((E E) (size/cdr ys)) 

((E) (if-same (equal x (car ys)) ’t)) 

(() (if-same (atom ys) ’t)))))) 

(defun defun.set? () 

(J-Bob/define (defun.member?) 

’(((defun set? (xs) 

(if (atom xs) ’t (if (member? (car xs) (cdr xs)) ’nil (set? (cdr xs))))) 
(size xs) 

((Q) (natp/size xs)) 

(() 

(if-true 

(if (atom xs) 

’t 

(if (member? (car xs) (cdr xs)) ’t (< (size (cdr xs)) (size xs)))) 
’nil)) 

((E E) (size/cdr xs)) 

((E) (if-same (member? (car xs) (cdr xs)) ’t)) 

(() (if-same (atom xs) ’t)))))) 

(defun defun.add-atoms () 

(J-Bob/define (defun.set?) 

’(((defun add-atoms (x ys) 

(if (atom x) 

(if (member? x ys) ys (cons x ys)) 

(add-atoms (car x) (add-atoms (cdr x) ys)))) 

(size x) 

((Q) (natp/size x)) 

(() 

(if-true 

(if (atom x) 

’t 

(if (< (size (car x)) (size x)) (< (size (cdr x)) (size x)) ’nil)) 
’nil)) 

((E Q) (size/car x)) 

((E A) (size/cdr x)) 

((E) (if-true ’t ’nil)) 

(() (if-same (atom x) ’t)))))) 
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(defun defun.atoms () 

(J-Bob/define (defun.add-atoms) 
’(((defun atoms (x) 

(add-atoms x ’())) 
nil)))) 


Chapter 9 Proofs 

(defun dethm.set?/atoms.attempt () 

(J-Bob/prove (defun.atoms) 

’(((dethm set?/add-atoms (a) 

(equal (set? (add-atoms a ’())) ’t)) 

(star-induction a) 

((E A A 1 1) (add-atoms a ’()))) 

((dethm set?/atoms (a) 

(equal (set? (atoms a)) ’t)) 
nil 

((1 1) (atoms a)) 

((1) (set?/add-atoms a)) 

(() (equal-same ’t)))))) 

(defun dethm.set?/atoms () 

(J-Bob/define (defun.atoms) 

’(((dethm set?/t (xs) 

(if (set? xs) (equal (set? xs) ’t) ’t)) 

(list-induction xs) 

((A A 1) (set? xs)) 

((A A 1) 

(if-nest-A (atom xs) ’t (if (member? (car xs) (cdr xs)) ’nil (set? (cdr xs))))) 
((A A) (equal-same ’t)) 

((A) (if-same (set? xs) ’t)) 

((E A A 1) (set? xs)) 

((E A A 1) 

(if-nest-E (atom xs) ’t (if (member? (car xs) (cdr xs)) ’nil (set? (cdr xs))))) 
((E A Q) (set? xs)) 

((E A Q) 

(if-nest-E (atom xs) ’t (if (member? (car xs) (cdr xs)) ’nil (set? (cdr xs))))) 
((E A) 

(if-same (member? (car xs) (cdr xs)) 

(if (if (member? (car xs) (cdr xs)) ’nil (set? (cdr xs))) 

(equal (if (member? (car xs) (cdr xs)) ’nil (set? (cdr xs))) ’t) 

’t))) 

((E A A Q) (if-nest-A (member? (car xs) (cdr xs)) ’nil (set? (cdr xs)))) 

((E A A A 1) (if-nest-A (member? (car xs) (cdr xs)) ’nil (set? (cdr xs)))) 

((E A E Q) (if-nest-E (member? (car xs) (cdr xs)) ’nil (set? (cdr xs)))) 

((E A E A 1) (if-nest-E (member? (car xs) (cdr xs)) ’nil (set? (cdr xs)))) 

((E A A) (if-false (equal ’nil ’t) ’t)) 

((E) 

(if-same (set? (cdr xs)) 

(if (if (set? (cdr xs)) (equal (set? (cdr xs)) ’t) ’t) 

(if (member? (car xs) (cdr xs)) 

’t 

(if (set? (cdr xs)) (equal (set? (cdr xs)) ’t) ’t)) 

’t))) 

((E A Q) (if-nest-A (set? (cdr xs)) (equal (set? (cdr xs)) ’t) ’t)) 

((E A A E) (if-nest-A (set? (cdr xs)) (equal (set? (cdr xs)) ’t) ’t)) 
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((E E Q) (if-nest-E (set? (cdr xs)) (equal (set? (cdr xs)) ’t) ’t)) 

((E E A E) (if-nest-E (set? (cdr xs)) (equal (set? (cdr xs)) ’t) ’t)) 

((E E A) (if-same (member? (car xs) (cdr xs)) ’t)) 

((E E) (if-same ’ t ’t)) 

((E A A E 1) (equal-if (set? (cdr xs)) ’t)) 

((E A A E) (equal-same ’t)) 

((E A A) (if-same (member? (car xs) (cdr xs)) ’t)) 

((E A) (if-same (equal (set? (cdr xs)) ’t) ’t)) 

((E) (if-same (set? (cdr xs)) ’t)) 

(() (if-same (atom xs) ’t))) 

((dethm set?/nil (xs) 

(if (set? xs) ’t (equal (set? xs) ’nil))) 

(list-induction xs) 

((A Q) (set? xs)) 

((A Q) 

(if-nest-A (atom xs) ’t (if (member? (car xs) (cdr xs)) ’nil (set? (cdr xs))))) 
((A) (if-true ’t (equal (set? xs) ’nil))) 

((E A E 1) (set? xs)) 

((E A E 1) 

(if-nest-E (atom xs) ’t (if (member? (car xs) (cdr xs)) ’nil (set? (cdr xs))))) 
((E A Q) (set? xs)) 

((E A Q) 

(if-nest-E (atom xs) ’t (if (member? (car xs) (cdr xs)) ’nil (set? (cdr xs))))) 
((E A) 

(if-same (member? (car xs) (cdr xs)) 

(if (if (member? (car xs) (cdr xs)) ’nil (set? (cdr xs))) 

’t 

(equal (if (member? (car xs) (cdr xs)) ’nil (set? (cdr xs))) ’nil)))) 

((E A A Q) (if-nest-A (member? (car xs) (cdr xs)) ’nil (set? (cdr xs)))) 

((E A A E 1) (if-nest-A (member? (car xs) (cdr xs)) ’nil (set? (cdr xs)))) 

((E A E Q) (if-nest-E (member? (car xs) (cdr xs)) ’nil (set? (cdr xs)))) 

((E A E E 1) (if-nest-E (member? (car xs) (cdr xs)) ’nil (set? (cdr xs)))) 

((E A A E) (equal-same ’nil)) 

((E A A) (if-same ’nil ’t)) 

((E) 

(if-same (set? (cdr xs)) 

(if (if (set? (cdr xs)) ’t (equal (set? (cdr xs)) ’nil)) 

(if (member? (car xs) (cdr xs)) 

’t 

(if (set? (cdr xs)) ’t (equal (set? (cdr xs)) ’nil))) 

’t))) 

((E A Q) (if-nest-A (set? (cdr xs)) ’t (equal (set? (cdr xs)) ’nil))) 

((E A A E) (if-nest-A (set? (cdr xs)) ’t (equal (set? (cdr xs)) ’nil))) 

((E E Q) (if-nest-E (set? (cdr xs)) ’t (equal (set? (cdr xs)) ’nil))) 

((E E A E) (if-nest-E (set? (cdr xs)) ’t (equal (set? (cdr xs)) ’nil))) 

((E A A) (if-same (member? (car xs) (cdr xs)) ’t)) 

((E A) (if-same ’t ’t)) 

((E E A E 1) (equal-if (set? (cdr xs)) ’nil)) 

((E E A E) (equal-same ’nil)) 

((E E A) (if-same (member? (car xs) (cdr xs)) ’t)) 

((E E) (if-same (equal (set? (cdr xs)) ’nil) ’t)) 

((E) (if-same (set? (cdr xs)) ’t)) 

(() (if-same (atom xs) ’t))) 

((dethm set?/add-atoms (a bs) 

(if (set? bs) (equal (set? (add-atoms a bs)) ’t) ’t)) 
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(add-atoms a bs) 

((A A 1 1) (add-atoms a bs)) 

((A A 1 1) 

(if-nest-A (atom a) 

(if (member? a bs) bs (cons a bs)) 

(add-atoms (car a) (add-atoms (cdr a) bs)))) 

((A A 1) (if-same (member? a bs) (set? (if (member? a bs) bs (cons a bs))))) 
((A A 1 A 1) (if-nest-A (member? a bs) bs (cons a bs))) 

((A A 1 E 1) (if-nest-E (member? a bs) bs (cons a bs))) 

((A A 1 A) (set?/t bs)) 

((A A 1 E) (set? (cons a bs))) 

((A A 1 E Q) (atom/cons a bs)) 

((A A 1 E E Q 1) (car/cons a bs)) 

((A A 1 E E Q 2) (cdr/cons a bs)) 

((A A 1 E E E 1) (cdr/cons a bs)) 

((A A 1 E) (if-false 5 t (if (member? a bs) ’nil (set? bs)))) 

((A A 1 E) (if-nest-E (member? a bs) ’nil (set? bs))) 

((A A 1 E) (set?/t bs)) 

((A A 1) (if-same (member? a bs) ’t)) 

((A A) (equal-same ’t)) 

((A) (if-same (set? bs) ’t)) 

((E) 

(if-same (set? bs) 

(if (if (set? (add-atoms (cdr a) bs)) 

(equal (set? (add-atoms (car a) (add-atoms (cdr a) bs))) ’t) 

’t) 

(if (if (set? bs) (equal (set? (add-atoms (cdr a) bs)) ’t) ’t) 

(if (set? bs) (equal (set? (add-atoms a bs)) ’t) ’t) 

’t) 

’t))) 

((E A A Q) (if-nest-A (set? bs) (equal (set? (add-atoms (cdr a) bs)) ’t) ’t)) 

((E A A A) (if-nest-A (set? bs) (equal (set? (add-atoms a bs)) ’t) ’t)) 

((E E A Q) (if-nest-E (set? bs) (equal (set? (add-atoms (cdr a) bs)) ’t) ’t)) 

((E E A A) (if-nest-E (set? bs) (equal (set? (add-atoms a bs)) ’t) ’t)) 

((E E A) (if-same ’t ’t)) 

((E E) 

(if-same 

(if (set? (add-atoms (cdr a) bs)) 

(equal (set? (add-atoms (car a) (add-atoms (cdr a) bs))) ’t) 

’t) 

’t)) 

((E A) 

(if-same (set? (add-atoms (cdr a) bs)) 

(if (if (set? (add-atoms (cdr a) bs)) 

(equal (set? (add-atoms (car a) (add-atoms (cdr a) bs))) ’t) 

’t) 

(if (equal (set? (add-atoms (cdr a) bs)) ’t) 

(equal (set? (add-atoms a bs)) ’t) 

’t) 

’t))) 

((E A A Q) 

(if-nest-A (set? (add-atoms (cdr a) bs)) 

(equal (set? (add-atoms (car a) (add-atoms (cdr a) bs))) ’t) 

’t)) 
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((E A E Q) 

(if-nest-E (set? (add-atoms (cdr a) bs)) 

(equal (set? (add-atoms (car a) (add-atoms (cdr a) bs))) ’t) 

’t)) 

((E A E) 

(if-true 

(if (equal (set? (add-atoms (cdr a) bs)) ’t) 

(equal (set? (add-atoms a bs)) ’t) 

’t) 

’t)) 

((E A A A Q 1) (set?/t (add-atoms (cdr a) bs))) 

((E A E Q 1) (set?/nil (add-atoms (cdr a) bs))) 

((E A A A Q) (equal ’t ’t)) 

((E A E Q) (equal ’nil ’t)) 

((E A A A) (if-true (equal (set? (add-atoms a bs)) ’t) ’t)) 

((E A E) (if-false (equal (set? (add-atoms a bs)) ’t) ’t)) 

((E A A A 1 1) (add-atoms a bs)) 

((E A A A 1 1) 

(if-nest-E (atom a) 

(if (member? a bs) bs (cons a bs)) 

(add-atoms (car a) (add-atoms (cdr a) bs)))) 

((E A A A 1) (equal-if (set? (add-atoms (car a) (add-atoms (cdr a) bs))) ’t)) 
((E A A A) (equal-same ’t)) 

((E A A) 

(if-same (equal (set? (add-atoms (car a) (add-atoms (cdr a) bs))) ’t) ’t)) 
((E A) (if-same (set? (add-atoms (cdr a) bs)) ’t)) 

((E) (if-same (set? bs) ’t)) 

(() (if-same (atom a) ’t))) 

((dethm set?/atoms (a) 

(equal (set? (atoms a)) ’t)) 
nil 

((1 1) (atoms a)) 

(() (if-true (equal (set? (add-atoms a ’())) ’t) ’t)) 

((Q) (if-true ’t (if (member? (car ’()) (cdr ’())) ’nil (set? (cdr ’()))))) 
((Q Q) (atom ’())) 

((Q) (set? ’())) 

((A 1) (set?/add-atoms a ’())) 

((A) (equal-same ’t)) 

(() (if-same (set? ’()) ’t)))))) 

Chapter 10 Proofs 

(defun defun.rotate () 

(J-Bob/define (dethm.set?/atoms) 

’(((defun rotate (x) 

(cons (car (car x)) (cons (cdr (car x)) (cdr x)))) 
nil)))) 

(defun dethm.rotate/cons () 

(J-Bob/define (defun.rotate) 

’(((dethm rotate/cons (x y z) 

(equal (rotate (cons (cons x y) z)) (cons x (cons y z)))) 
nil 

((1) (rotate (cons (cons x y) z))) 

((1 1 1) (car/cons (cons x y) z)) 
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((1 1) (car/cons x y)) 

((1 2 1 1) (car/cons (cons x y) z)) 

((1 2 1) (cdr/cons x y)) 

((1 2 2) (cdr/cons (cons x y) z)) 

(() (equal-same (cons x (cons y z)))))))) 

(defun defun.align.attempt () 

(J-Bob/prove (dethm.rotate/cons) 

’(((defun align (x) 

(if (atom x) 
x 

(if (atom (car x)) (cons (car x) (align (cdr x))) (align (rotate x))))) 
(size x) 

((Q) (natp/size x)) 

(() 

(if-true 

(if (atom x) 

’t 

(if (atom (car x)) 

(< (size (cdr x)) (size x)) 

(< (size (rotate x)) (size x)))) 

’nil)) 

((E A) (size/cdr x)) 

((EE 1 1 1) (cons/car+cdr x)) 

((E E 2 1) (cons/car+cdr x)) 

((E E 1 1 1 1) (cons/car+cdr (car x))) 

((E E 2 1 1) (cons/car+cdr (car x))) 

((EE 1 1) (rotate/cons (car (car x)) (cdr (car x)) (cdr x))))))) 

(defun defun.wt () 

(J-Bob/define (dethm.rotate/cons) 

’(((defun wt (x) 

(if (atom x) ’1 (+ (+ (wt (car x)) (wt (car x))) (wt (cdr x))))) 

(size x) 

((Q) (natp/size x)) 

(() 

(if-true 

(if (atom x) 

’t 

(if (< (size (car x)) (size x)) (< (size (cdr x)) (size x)) ’nil)) 

’nil)) 

((E Q) (size/car x)) 

((E A) (size/cdr x)) 

((E) (if-true ’t ’nil)) 

(() (if-same (atom x) ’t)))))) 

(defun defun.align () 

(J-Bob/define (defun.wt) 

’(((dethm natp/wt (x) 

(equal (natp (wt x)) ’t)) 

(star-induction x) 

((A 1 1) (wt x)) 

((A 1 1) (if-nest-A (atom x) ’1 (+ (+ (wt (car x)) (wt (car x))) (wt (cdr x))))) 
((A 1) (natp ’1)) 

((A) (equal-same ’t)) 

((E A A 1 1) (wt x)) 
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((E A A 1 1) 

(if-nest-E (atom x) ’1 (+ (+ (wt (car x)) (wt (car x))) (wt (cdr x))))) 

((E A A) 

(if-true (equal (natp (+ (+ (wt (car x)) (wt (car x))) (wt (cdr x)))) ’t) ’t)) 
((E A A Q) (equal-if (natp (wt (car x))) ’t)) 

((E A A A) 

(if-true (equal (natp (+ (+ (wt (car x)) (wt (car x))) (wt (cdr x)))) ’t) ’t)) 
((E A A A Q) (natp/+ (wt (car x)) (wt (car x)))) 

((E A A Q) (equal-if (natp (wt (car x))) ’t)) 

((E A A Q) (equal-if (natp (wt (cdr x))) ’t)) 

((E A A A A 1) (natp/+ (+ (wt (car x)) (wt (car x))) (wt (cdr x)))) 

((E A A A A) (equal-same ’t)) 

((E A A A) (if-same (natp (+ (wt (car x)) (wt (car x)))) ’t)) 

((E A A) (if-same (natp (wt (cdr x))) 5 t)) 

((E A) (if-same (equal (natp (wt (cdr x))) ’t) ’t)) 

((E) (if-same (equal (natp (wt (car x))) ’t) ’t)) 

(() (if-same (atom x) ’t))) 

((dethm positive/wt (x) 

(equal (< ’0 (wt x)) ’t)) 

(star-induction x) 

((A 1 2) (wt x)) 

((A 1 2) (if-nest-A (atom x) ’1 (+ (+ (wt (car x)) (wt (car x))) (wt (cdr x))))) 
((A 1) (< ’0 >1)) 

((A) (equal-same ’t)) 

((E A A 1 2) (wt x)) 

((E A A 1 2) 

(if-nest-E (atom x) ’1 (+ (+ (wt (car x)) (wt (car x))) (wt (cdr x))))) 

((E A A) 

(if-true (equal (< ’0 (+ (+ (wt (car x)) (wt (car x))) (wt (cdr x)))) ’t) ’t)) 
((E A A Q) (equal-if (< ’0 (wt (car x))) ’t)) 

((E A A A) 

(if-true (equal (< ’0 (+ (+ (wt (car x)) (wt (car x))) (wt (cdr x)))) ’t) ’t)) 
((E A A A Q) (positives-+ (wt (car x)) (wt (car x)))) 

((E A A Q) (equal-if (< ’0 (wt (car x))) ’t)) 

((E A A Q) (equal-if (< ’0 (wt (cdr x))) ’t)) 

((E A A A A 1) (positives-* (+ (wt (car x)) (wt (car x))) (wt (cdr x)))) 

((E A A A A) (equal-same ’t)) 

((E A A A) (if-same (< ’0 (+ (wt (car x)) (wt (car x)))) 5 t)) 

((E A A) (if-same (< ’0 (wt (cdr x))) ’t)) 

((E A) (if-same (equal (< ’0 (wt (cdr x))) ’t) ’t)) 

((E) (if-same (equal (< ’0 (wt (car x))) ’t) ’t)) 

(() (if-same (atom x) ’t))) 

((defun align (x) 

(if (atom x) 
x 

(if (atom (car x)) (cons (car x) (align (cdr x))) (align (rotate x))))) 

(wt x) 

((Q) (natp/wt x)) 

(() 

(if-true 

(if (atom x) 

’t 

(if (atom (car x)) (< (wt (cdr x)) (wt x)) (< (wt (rotate x)) (wt x)))) 
’nil)) 

((E A 2) (wt x)) 
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((E A 2) (if-nest-E (atom x) ’1 (+ (+ (wt (car x)) (wt (car x))) (wt (cdr x))))) 
((E A) 

(if-true (< (wt (cdr x)) (+ (+ (wt (car x)) (wt (car x))) (wt (cdr x)))) ’t)) 
((E A Q) (natp/wt (cdr x))) 

((E A A 1) (identity-+ (wt (cdr x)))) 

((E A A) (common-addends-< 5 0 (+ (wt (car x)) (wt (car x))) (wt (cdr x)))) 

((E A Q) (natp/wt (cdr x))) 

((E A Q) (positive/wt (car x))) 

((E A A) (positives-+ (wt (car x)) (wt (car x)))) 

((E A) (if-same (< ’0 (wt (car x))) ’t)) 

((EE 1 1) (rotate x)) 

((EE 1) (wt (cons (car (car x)) (cons (cdr (car x)) (cdr x))))) 

((EE 1 Q) (atom/cons (car (car x)) (cons (cdr (car x)) (cdr x)))) 

((E E 1) 

(if-false ’1 

(+ (+ (wt (car (cons (car (car x)) (cons (cdr (car x)) (cdr x))))) 

(wt (car (cons (car (car x)) (cons (cdr (car x)) (cdr x)))))) 

(wt (cdr (cons (car (car x)) (cons (cdr (car x)) (cdr x)))))))) 

((E E 1 1 1 1) (car/cons (car (car x)) (cons (cdr (car x)) (cdr x)))) 

((EE 1 1 2 1) (car/cons (car (car x)) (cons (cdr (car x)) (cdr x)))) 

((EE 1 2 1) (cdr/cons (car (car x)) (cons (cdr (car x)) (cdr x)))) 

((EE 1 2) (wt (cons (cdr (car x)) (cdr x)))) 

((EE 1 2 Q) (atom/cons (cdr (car x)) (cdr x))) 

((EE 1 2) 

(if-false ’1 

(+ (+ (wt (car (cons (cdr (car x)) (cdr x)))) 

(wt (car (cons (cdr (car x)) (cdr x))))) 

(wt (cdr (cons (cdr (car x)) (cdr x))))))) 

((E E 1 2 1 1 1) (car/cons (cdr (car x)) (cdr x))) 

((E E 1 2 1 2 1) (car/cons (cdr (car x)) (cdr x))) 

((E E 1 2 2 1) (cdr/cons (cdr (car x)) (cdr x))) 

((E E 2) (wt x)) 

((E E 2) (if-nest-E (atom x) ’1 (+ (+ (wt (car x)) (wt (car x))) (wt (cdr x))))) 
((E E 2 1 1) (wt (car x))) 

((E E 2 1 1) 

(if-nest-E (atom (car x)) 

’1 

(+ (+ (wt (car (car x))) (wt (car (car x)))) (wt (cdr (car x)))))) 

((E E 2 1 2) (wt (car x))) 

((E E 2 1 2) 

(if-nest-E (atom (car x)) 

’1 

(+ (+ (wt (car (car x))) (wt (car (car x)))) (wt (cdr (car x)))))) 

((E E 1) 

(associated 

(+ (wt (car (car x))) (wt (car (car x)))) 

(+ (wt (cdr (car x))) (wt (cdr (car x)))) 

(wt (cdr x)))) 

((E E) 

(common-addends-< 

(+ (+ (wt (car (car x))) (wt (car (car x)))) 

(+ (wt (cdr (car x))) (wt (cdr (car x))))) 

(+ (+ (+ (wt (car (car x))) (wt (car (car x)))) (wt (cdr (car x)))) 

(+ (+ (wt (car (car x))) (wt (car (car x)))) (wt (cdr (car x))))) 

(wt (cdr x)))) 
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((E E 1) 

(associated 

(+ (wt (car (car x))) (wt (car (car x)))) 

(wt (cdr (car x))) 

(wt (cdr (car x))))) 

((EE 1) 

(commute-+ 

(+ (+ (wt (car (car x))) (wt (car (car x)))) (wt (cdr (car x)))) 

(wt (cdr (car x))))) 

((E E) 

(common-addends-< 

(wt (cdr (car x))) 

(+ (+ (wt (car (car x))) (wt (car (car x)))) (wt (cdr (car x)))) 

(+ (+ (wt (car (car x))) (wt (car (car x)))) (wt (cdr (car x)))))) 

((E E) 

(if-true 

(< (wt (cdr (car x))) 

(+ (+ (wt (car (car x))) (wt (car (car x)))) (wt (cdr (car x))))) 
’t)) 

((E E Q) (natp/wt (cdr (car x)))) 

((E E A 1) (identity-+ (wt (cdr (car x))))) 

((E E A) 

(common-addends-< 

’0 

(+ (wt (car (car x))) (wt (car (car x)))) 

(wt (cdr (car x))))) 

((E E Q) (natp/wt (cdr (car x)))) 

((E E Q) (positive/wt (car (car x)))) 

((E E A) (positives-+ (wt (car (car x))) (wt (car (car x))))) 

((E E) (if-same (< ’0 (wt (car (car x)))) ’t)) 

((E) (if-same (atom (car x)) ’t)) 

(() (if-same (atom x) ’t)))))) 

(defun dethm.align/align () 

(J-Bob/define (defun.align) 

’(((dethm align/align (x) 

(equal (align (align x)) (align x))) 

(align x) 

((A 1 1) (align x)) 

((A 1 1) 

(if-nest-A (atom x) 
x 

(if (atom (car x)) (cons (car x) (align (cdr x))) (align (rotate x))))) 
((A 2) (align x)) 

((A 2) 

(if-nest-A (atom x) 
x 

(if (atom (car x)) (cons (car x) (align (cdr x))) (align (rotate x))))) 
((A 1) (align x)) 

((A 1) 

(if-nest-A (atom x) 
x 

(if (atom (car x)) (cons (car x) (align (cdr x))) (align (rotate x))))) 
((A) (equal-same x)) 

((E A A 1 1) (align x)) 
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((E A A 1 1) 

(if-nest-E (atom x) 
x 

(if (atom (car x)) (cons (car x) (align (cdr x))) (align (rotate x))))) 

((E A A 1 1) 

(if-nest-A (atom (car x)) (cons (car x) (align (cdr x))) (align (rotate x)))) 
((E A A 2) (align x)) 

((E A A 2) 

(if-nest-E (atom x) 
x 

(if (atom (car x)) (cons (car x) (align (cdr x))) (align (rotate x))))) 

((E A A 2) 

(if-nest-A (atom (car x)) (cons (car x) (align (cdr x))) (align (rotate x)))) 
((E A A 1) (align (cons (car x) (align (cdr x))))) 

((E A A 1 Q) (atom/cons (car x) (align (cdr x)))) 

((E A A 1 E Q 1) (car/cons (car x) (align (cdr x)))) 

((E A A 1 E A 1) (car/cons (car x) (align (cdr x)))) 

((EAA1EA2 1) (cdr/cons (car x) (align (cdr x)))) 

((E A A 1) 

(if-false (cons (car x) (align (cdr x))) 

(if (atom (car x)) 

(cons (car x) (align (align (cdr x)))) 

(align (rotate (cons (car x) (align (cdr x)))))))) 

((E A A 1) 

(if-nest-A (atom (car x)) 

(cons (car x) (align (align (cdr x)))) 

(align (rotate (cons (car x) (align (cdr x))))))) 

((E A A 1 2) (equal-if (align (align (cdr x))) (align (cdr x)))) 

((E A A) (equal-same (cons (car x) (align (cdr x))))) 

((E A) (if-same (equal (align (align (cdr x))) (align (cdr x))) ’t)) 

((E E A 1 1) (align x)) 

((E E A 1 1) 

(if-nest-E (atom x) 
x 

(if (atom (car x)) (cons (car x) (align (cdr x))) (align (rotate x))))) 

((E E A 1 1) 

(if-nest-E (atom (car x)) (cons (car x) (align (cdr x))) (align (rotate x)))) 
((E E A 2) (align x)) 

((E E A 2) 

(if-nest-E (atom x) 
x 

(if (atom (car x)) (cons (car x) (align (cdr x))) (align (rotate x))))) 

((E E A 2) 

(if-nest-E (atom (car x)) (cons (car x) (align (cdr x))) (align (rotate x)))) 
((E E A 1) (equal-if (align (align (rotate x))) (align (rotate x)))) 

((E E A) (equal-same (align (rotate x)))) 

((E E) (if-same (equal (align (align (rotate x))) (align (rotate x))) ’t)) 

((E) (if-same (atom (car x)) ’t)) 

(() (if-same (atom x) ’t)))))) 
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The definition of J-Bob follows; it is also at 
http://the-little-prover.org/. J-Bob 
is defined in its own language. We first 
present an implementation of this lan¬ 
guage in both ACL2 and Scheme; we en¬ 
courage the reader to implement J-Bob 
and its language in any other language 
of choice. There will necessarily be dif¬ 
ferences between implementations in dif¬ 
ferent languages. For example, in ACL2, 
(equal 'nil '()) is equal to 't while in Scheme 
it is equal to 'nil. We have chosen the 
examples in this book so that the differ¬ 
ence never arises. Both implementations 
of J-Bob are correct and self-consistent be¬ 
cause they implement the nine operators 
to be consistent with J-Bob’s axioms. 

ACL2. We have chosen the programs in 
this book to be mostly compatible with the 
ACL2 theorem prover, on which much of 
this book is based. Expressions, function 
definitions, and eight of our nine built-in 
operators are compatible with ACL2. Both 
dethm and size must be defined in ACL2: 


(defun if->implies (exp hyps) 

(case-match exp 
((’if Q A E) 

(append 

(if->implies A ‘(,@hyps , Q)) 
(if->implies E ‘(,@hyps (not ,Q))))) 
((’equal X Y) 

‘((rrewrite :corollary 

(implies (and ,Ohyps) 

(equal ,X ,Y))))) 

(& ’()))) 


(defmacro dethm (name args body) 

(declare (ignore args)) 

(let ((rules (if->implies body ’()))) 

‘(defthm .name ,body 

:rule-classes .rules))) 

(defun size (x) 

(if (atom x) 

’0 

(+ ’1 (size (car x)) (size (cdr x))))) 


Scheme. The language of programs in 
this book can be defined in Scheme by re¬ 
defining if to operate on 't and 'nil rather 
than #t and #f, defining the missing built-in 
operators, and by changing some existing 
operators to be total : to return a value no 
matter what input they are given. Here is 
the code to do so: 


(define 

s.car car) 





(define 

s.cdr cdr) 





(define 

s. + +) 






(define 

s. < <) 






(define 

(num x) 

(if 

(number? x) 

x 0)) 



(define 

(if/nil 

Q A 

E) 




(if (€ 

;qual? Q 

’nil) (E) (A))) 




(define 

(atom x) 

(if (pair? x) ’ 

nil ’ 

t)) 


(define 

(car x) 

(if 

(pair? x) (s 

;. car 

x) 

’())) 

(define 

(cdr x) 

(if 

(pair? x) (s 

;. cdr 

x) 

’())) 

(define 

(equal x 

y) 

(if (equal? 

x y) 

’t 

’nil)) 

(define 

(natp x) 






(if (integer? 

x) 

(if (< x 0) ’ 

nil ’ 

t) 

’nil)) 

(define 

(+ x y) 

(s. 

+ (num x) (num y)) 

) 


(define 

(< x y) 






(if (s 

».< (num 

x) 

(num y)) ’t ’ 

nil)) 




(define-syntax if 
(syntax-rules () 

((_ Q A E) 

(if/nil Q (lambda () A) (lambda () E))))) 

(define-syntax defun 
(syntax-rules () 

((_ name (arg ...) body) 

(define (name arg ...) body)))) 

(define-syntax dethm 
(syntax-rules () 

((_ name (arg ...) body) 

(define (name arg ...) body)))) 

(defun size (x) 

(if (atom x) 

’0 

(+ ’1 (size (car x)) (size (cdr x))))) 
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J-Bob. J-Bob, like ACL2, disallows for¬ 
ward references; therefore we write J-Bob 
in a bottom-up style. We adopt two nam¬ 
ing conventions for functions. Construc¬ 
tors of tagged lists end in -c. Except for 
equal, atom, natp, and <, functions that 
return either true or false end in ?. 

Every theorem and function presented 
in the chapters of the book has been ver¬ 
ified using ACL2 in addition to the step- 
by-step proofs we present using J-Bob. 

The first definitions in our implemen¬ 
tation of J-Bob are simple functions for list 
manipulation. 

(defun listO () ’()) 

(defun listO? (x) (equal x ’())) 

(defun listl (x) (cons x (listO))) 

(defun listl? (x) 

(if (atom x) ’nil (listO? (cdr x)))) 

(defun eleml (xs) (car xs)) 

(defun list2 (x y) (cons x (listl y))) 

(defun list2? (x) 

(if (atom x) ’nil (listl? (cdr x)))) 

(defun elem2 (xs) (eleml (cdr xs))) 

(defun list3 (x y z) (cons x (list2 y z))) 

(defun list3? (x) 

(if (atom x) ’nil (list2? (cdr x)))) 

(defun elem3 (xs) (elem2 (cdr xs))) 

(defun tag (sym x) (cons sym x)) 

(defun tag? (sym x) 

(if (atom x) ’nil (equal (car x) sym))) 

(defun untag (x) (cdr x)) 

(defun member? (x ys) 

(if (atom ys) 

’nil 

(if (equal x (car ys)) 

’t 

(member? x (cdr ys))))) 

We have chosen our data representations 
to mirror the syntax of the language of 
J-Bob. Our four kinds of expressions are 
quote, if, function application, and vari¬ 
able reference. This allows J-Bob to ac¬ 
cept quoted expressions using the same 
syntax as J-Bob’s definition. For defining 
functions and theorems, we use defun and 
dethm, respectively. 


(defun quote-c (value) 

(tag ’quote (listl value))) 

(defun quote? (x) 

(if (tag? ’quote x) (listl? (untag x)) ’nil)) 
(defun quote.value (e) (eleml (untag e))) 

(defun if-c (Q A E) (tag ’if (list3 Q A E))) 
(defun if? (x) 

(if (tag? ’if x) (list3? (untag x)) ’nil)) 
(defun if.Q (e) (eleml (untag e))) 

(defun if.A (e) (elem2 (untag e))) 

(defun if.E (e) (elem3 (untag e))) 

(defun app-c (name args) (cons name args)) 

(defun app? (x) 

(if (atom x) 

’nil 

(if (quote? x) 

’nil 

(if (if? x) 

’nil 

’t)))) 

(defun app.name (e) (car e)) 

(defun app.args (e) (cdr e)) 

(defun var? (x) 

(if (equal x ’t) 

’nil 

(if (equal x ’nil) 

’nil 

(if (natp x) 

’nil 

(atom x))))) 

(defun defun-c (name formals body) 

(tag ’defun (list3 name formals body))) 

(defun defun? (x) 

(if (tag? ’defun x) (list3? (untag x)) ’nil)) 
(defun defun.name (def) (eleml (untag def))) 
(defun defun.formals (def) (elem2 (untag def))) 
(defun defun.body (def) (elem3 (untag def))) 

(defun dethm-c (name formals body) 

(tag ’dethm (list3 name formals body))) 

(defun dethm? (x) 

(if (tag? ’dethm x) (list3? (untag x)) ’nil)) 
(defun dethm.name (def) (eleml (untag def))) 
(defun dethm.formals (def) (elem2 (untag def))) 
(defun dethm.body (def) (elem3 (untag def))) 

The if-QAE and QAE-if functions convert 
between an if expression and a list of its 
three subexpressions. The rat or? function 
recognizes operators and rat or. formals 
produces the formal argument list of each. 
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(defun if-QAE (e) 

(list3 (if.Q e) (if.A e) (if.E e))) 

(defun QAE-if (es) 

(if-c (eleml es) (elem2 es) (elem3 es))) 

(defun rator? (name) 

(member? name 

’(equal atom car cdr cons natp size + <))) 

(defun rator.formals (rator) 

(if (member? rator ’(atom car cdr natp size)) 
’ (x) 

(if (member? rator ’(equal cons + <)) 

’(x y) 

’nil))) 


The def .name and def .formals functions 
extract parts of values that may be either 
a defun or a dethm. 

(defun def.name (def) 

(if (defun? def) 

(defun.name def) 

(if (dethm? def) 

(dethm.name def) 
def))) 

(defun def.formals (def) 

(if (dethm? def) 

(dethm.formals def) 

(if (defun? def) 

(defun.formals def) 

’()))) 


The function if-c-when-necessary con¬ 
structs an if when its answer and else are 
distinct; conjunction and implication 
combine lists of expressions using appro¬ 
priate nested ifs. 

(defun if-c-when-necessary (Q A E) 

(if (equal A E) A (if-c Q A E))) 

(defun conjunction (es) 

(if (atom es) 

(quote-c ’t) 

(if (atom (cdr es)) 

(car es) 

(if-c (car es) 

(conjunction (cdr es)) 

(quote-c ’nil))))) 

(defun implication (es e) 

(if (atom es) 
e 

(if-c (car es) 

(implication (cdr es) e) 

(quote-c ’t)))) 


The next group of functions manipulate 
sets and association lists. These associ¬ 
ation lists are represented as lists of def¬ 
initions; lookup finds a definition in a 
list by comparing a given name to the 
def .name of each list element. The func¬ 
tion undefined? reports when none of the 
definitions in a list match a given name. 

The args-arity? and app-arity? 
functions determine whether an applica¬ 
tion has the right number of arguments. 

(defun args-arity? (def args) 

(if (dethm? def) 

’nil 

(if (defun? def) 

(arity? (defun.formals def) args) 

(if (rator? def) 

(arity? (rator.formals def) args) 

’nil)))) 

(defun app-arity? (defs app) 

(args-arity? (lookup (app.name app) defs) 

(app.args app))) 


(defun lookup (name defs) 

(if (atom defs) 
name 

(if (equal (def.name (car defs)) name) 
(car defs) 

(lookup name (cdr defs))))) 

(defun undefined? (name defs) 

(if (var? name) 

(equal (lookup name defs) name) 

’nil)) 


J-Bob makes sure its inputs are sensible be¬ 
fore proceeding with a proof; the functions 
expr? and exprs? check expressions and 
lists of expressions, respectively, to make 
sure that undefined names are not used, 
applications have the right number of ar¬ 
guments, etc. If 5 any is passed for the list 
of bound variables, J-Bob allows unbound 
variables; function and theorem bodies 
must only use bound variables, while proof 
steps may freely introduce new variables. 

(defun bound? (var vars) 

(if (equal vars ’any) ’t (member? var vars))) 
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(defun exprs? (defs vars es) 

(if (atom es) 

’t 

(if (var? (car es)) 

(if (bound? (car es) vars) 

(exprs? defs vars (cdr es)) 

’nil) 

(if (quote? (car es)) 

(exprs? defs vars (cdr es)) 

(if (if? (car es)) 

(if (exprs? defs vars 

(if-QAE (car es))) 

(exprs? defs vars (cdr es)) 
’nil) 

(if (app? (car es)) 

(if (app-arity? defs (car es)) 
(if (exprs? defs vars 

(app.args (car es))) 
(exprs? defs vars (cdr es)) 
’nil) 

’nil) 

’nil)))))) 

(defun expr? (defs vars e) 

(exprs? defs vars (listl e))) 


Sets are represented as lists with no du¬ 
plicates. Functions included are subset?, 
list-extend, and list-union, which also 
preserves the left-to-right ordering of ele¬ 
ments in a predictable way that is conve¬ 
nient for constructing totality claims and 
inductive claims. 

(defun subset? (xs ys) 

(if (atom xs) 

’t 

(if (member? (car xs) ys) 

(subset? (cdr xs) ys) 

’nil))) 

(defun list-extend (xs x) 

(if (atom xs) 

(listl x) 

(if (equal (car xs) x) 
xs 

(cons (car xs) 

(list-extend (cdr xs) x))))) 

(defun list-union (xs ys) 

(if (atom ys) 
xs 

(list-union (list-extend xs (car ys)) 

(cdr ys)))) 


The functions get-arg and set-arg pro¬ 
cess argument lists indexed from 1. 


(defun get-arg-from (n args from) 

(if (atom args) 

’nil 

(if (equal n from) 

(car args) 

(get-arg-from n (cdr args) (+ from ’1))))) 
(defun get-arg (n args) 

(get-arg-from n args ’1)) 

(defun set-arg-from (n args y from) 

(if (atom args) 

’() 

(if (equal n from) 

(cons y (cdr args)) 

(cons (car args) 

(set-arg-from n (cdr args) y 

(+ from ’1)))))) 

(defun set-arg (n args y) 

(set-arg-from n args y ’1)) 


Several predicates operate on argument 
lists: <=len reports whether a given index 
is less than or equal to the length of an 
argument list; arity? reports whether a 
list of formal arguments and a list of ac¬ 
tual arguments have the same length; and 
f ormals? reports whether a given list rep¬ 
resents distinct formal arguments. 

(defun <=len-from (n args from) 

(if (atom args) 

’nil 

(if (equal n from) 

’t 

(<=len-from n (cdr args) (+ from ’1))))) 

(defun <=len (n args) 

(if (< ’0 n) (<=len-from n args ’1) ’nil)) 

(defun arity? (vars es) 

(if (atom vars) 

(atom es) 

(if (atom es) 

’nil 

(arity? (cdr vars) (cdr es))))) 

(defun formals? (vars) 

(if (atom vars) 

’t 

(if (var? (car vars)) 

(if (member? (car vars) (cdr vars)) 

’nil 

(formals? (cdr vars))) 

’nil))) 


The path to a focus is recognized by path? 
and direction?. 
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(defun direction? (dir) 

(if (natp dir) 

’t 

(member? dir ’ (Q A E)))) 

(defun path? (path) 

(if (atom path) 

’t 

(if (direction? (car path)) 
(path? (cdr path)) 

’nil))) 


The function quoted-exprs? is a predicate 
that recognizes lists of quoted literals. 

(defun quoted-exprs? (args) 

(if (atom args) 

’t 

(if (quote? (car args)) 

(quoted-exprs? (cdr args)) 

’nil))) 


The arguments to a proof step’s applica¬ 
tion are checked by step-args?, which al¬ 
lows free variables but requires the argu¬ 
ments to an operator to be quoted literals. 

(defun step-args? (defs def args) 

(if (dethm? def) 

(if (arity? (dethm.formals def) args) 

(exprs? defs ’any args) 

’nil) 

(if (defun? def) 

(if (arity? (defun.formals def) args) 
(exprs? defs ’any args) 

’nil) 

(if (rator? def) 

(if (arity? (rator.formals def) args) 
(quoted-exprs? args) 

’nil) 

’nil)))) 

(defun step-app? (defs app) 

(step-args? defs 

(lookup (app.name app) defs) 

(app.args app))) 


The steps? function checks the syntax of 
proof steps to make sure they each contain 
a path and an application of a theorem 
or function name to the right number of 
syntactically valid expressions. In the case 
of operators, the arguments must be quote 
expressions. 


(defun step? (defs step) 

(if (path? (eleml step)) 

(if (app? (elem2 step)) 

(step-app? defs (elem2 step)) 
’nil) 

’nil)) 

(defun steps? (defs steps) 

(if (atom steps) 

’t 

(if (step? defs (car steps)) 
(steps? defs (cdr steps)) 
’nil))) 


The seed of a proof is the induction scheme 
for a theorem’s proof or a measure for 
a function’s totality proof. An induction 
scheme must be an application of a defined 
function to a sequence of distinct variables, 
as checked by induction-scheme?. A 
measure may be any syntactically valid ex¬ 
pression that refers only to previously de¬ 
fined functions and the formal arguments 
of the function being defined, which are 
checked by seed?. 

(defun induction-scheme-for? (def vars e) 

(if (defun? def) 

(if (arity? (defun.formals def) (app.args e); 
(if (formals? (app.args e)) 

(subset? (app.args e) vars) 

’nil) 

’nil) 

’nil)) 

(defun induction-scheme? (defs vars e) 

(if (app? e) 

(induction-scheme-for? 

(lookup (app.name e) defs) 

vars 

e) 

’nil)) 

(defun seed? (defs def seed) 

(if (equal seed ’nil) 

’t 

(if (defun? def) 

(expr? defs (defun.formals def) seed) 

(if (dethm? def) 

(induction-scheme? defs 
(dethm.formals def) 
seed) 

’nil)))) 


The Little Assistant 


207 








Individual definitions are checked by def?, 
which checks that defuns and dethms have 
unique names, valid formal argument lists, 
and syntactically valid body expressions. 


(defun extend-rec (defs def) 

(if (defun? def) 

(list-extend defs 
(defun-c 

(defun.name def) 

(defun.formals def) 

(app-c (defun.name def) 

(defun.formals def)))) 

defs)) 

(defun def-contents? (known-defs formals body) 
(if (formals? formals) 

(expr? known-defs formals body) 

’nil)) 

(defun def? (known-defs def) 

(if (dethm? def) 

(if (undefined? (dethm.name def) 
known-defs) 

(def-contents? known-defs 
(dethm.formals def) 

(dethm.body def)) 

’nil) 

(if (defun? def) 

(if (undefined? (defun.name def) 
known-defs) 

(def-contents? 

(extend-rec known-defs def) 

(defun.formals def) 

(defun.body def)) 

’nil) 

’nil))) 


(defun list2-or-more? (pf) 

(if (atom pf) 

’nil 

(if (atom (cdr pf)) 

’nil 

’t))) 


(defun proof? (defs pf) 

(if (list2-or-more? pf) 

(if (def? defs (eleml pf)) 

(if (seed? defs (eleml pf) 
(steps? (extend-rec defs 
(cdr (cdr pf))) 

’nil) 

’nil) 

’nil)) 

(elem2 pf)) 
(eleml pf)) 


We define substitution in sub-e and its 
helpers, which maintain separate, corre¬ 
sponding lists of formal arguments and the 
actual arguments to replace them with. 


(defun proofs? (defs pfs) 

(if (atom pfs) 

’t 

(if (proof? defs (car pfs)) 
(proofs? 

(list-extend defs (eleml 
(cdr pfs)) 

’nil))) 


(car pfs))) 


(defun sub-var (vars args var) 

(if (atom vars) 
var 

(if (equal (car vars) var) 

(car args) 

(sub-var (cdr vars) (cdr args) 


var)))) 


(defun defs? (known-defs defs) 

(if (atom defs) 

’t 

(if (def? known-defs (car defs)) 
(defs? (list-extend known-defs 
(cdr defs)) 

’nil))) 


(car defs)) 


J-Bob checks lists of proofs using proofs?, 
which in turn checks the definitions, seeds, 
and proof steps of each one using the pre¬ 
viously described functions. 


(defun sub-es (vars args es) 

(if (atom es) 

’() 

(if (var? (car es)) 

(cons (sub-var vars args (car es)) 
(sub-es vars args (cdr es))) 

(if (quote? (car es)) 

(cons (car es) 

(sub-es vars args (cdr es))) 

(if (if? (car es)) 

(cons 

(QAE-if 

(sub-es vars args 
(if-QAE (car es)))) 

(sub-es vars args (cdr es))) 

(cons 

(app-c (app.name (car es)) 

(sub-es vars args 

(app.args (car es)))) 

(sub-es vars args (cdr es)))))))) 
(defun sub-e (vars args e) 

(eleml (sub-es vars args (listl e)))) 
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The expr-recs and exprs-recs functions 
extract the recursive applications from the 
body of a function definition, given the 
function’s name and the expression(s) in 
question. 

(defun exprs-recs (f es) 

(if (atom es) 

’() 

(if (var? (car es)) 

(exprs-recs f (cdr es)) 

(if (quote? (car es)) 

(exprs-recs f (cdr es)) 

(if (if? (car es)) 

(list-union 

(exprs-recs f (if-QAE (car es))) 
(exprs-recs f (cdr es))) 

(if (equal (app.name (car es)) f) 
(list-union 

(listl (car es)) 

(list-union 
(exprs-recs f 

(app.args (car es))) 

(exprs-recs f (cdr es)))) 
(list-union 

(exprs-recs f (app.args (car es))) 

(exprs-recs f 

(cdr es))))))))) 

(defun expr-recs (f e) 

(exprs-recs f (listl e))) 

The function totality/claim and its cor¬ 
responding function induction/claim are 
responsible for constructing totality claims 
and inductive claims, respectively. These 
functions construct their claims following 
the steps described in chapters 8 and 9, 
extended to account for recursive appli¬ 
cations in the question of an if. These 
definitions rely on the predictable ordering 
of elements produced by list-union. 


(defun totality/< (meas formals app) 

(app-c ’< 

(list2 (sub-e formals (app.args app) meas) 
meas))) 

(defun totality/meas (meas formals apps) 

(if (atom apps) 

’() 

(cons 

(totality/< meas formals (car apps)) 
(totality/meas meas formals (cdr apps))))) 

(defun totality/if (meas f formals e) 

(if (if? e) 

(conjunction 

(list-extend 

(totality/meas meas formals 
(expr-recs f (if.Q e))) 

(if-c-when-necessary (if.Q e) 
(totality/if meas f formals 
(if.A e)) 

(totality/if meas f formals 
(if•E e))))) 

(conjunction 

(totality/meas meas formals 
(expr-recs f e))))) 

(defun totality/claim (meas def) 

(if (equal meas ’nil) 

(if (equal (expr-recs (defun.name def) 

(defun.body def)) 

’()) 

(quote-c ’t) 

(quote-c ’nil)) 

(if-c 

(app-c ’natp (listl meas)) 

(totality/if meas (defun.name def) 

(defun.formals def) 

(defun.body def)) 

(quote-c ’nil)))) 
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(defun induction/prems (vars claim apps) 

(if (atom apps) 

’() 

(cons 

(sub-e vars (app.args (car apps)) claim) 
(induction/prems vars claim (cdr apps))))) 

(defun induction/if (vars claim f e) 

(if (if? e) 

(implication 

(induction/prems vars claim 
(expr-recs f (if.Q e))) 

(if-c-when-necessary (if.Q e) 

(induction/if vars claim f (if.A e)) 
(induction/if vars claim f (if.E e)))) 
(implication 

(induction/prems vars claim 
(expr-recs f e)) 
claim))) 

(defun induction/defun (vars claim def) 
(induction/if vars claim (defun.name def) 
(sub-e (defun.formals def) vars 
(defun.body def)))) 

(defun induction/claim (defs seed def) 

(if (equal seed ’nil) 

(dethm.body def) 

(induction/defun (app.args seed) 

(dethm.body def) 

(lookup (app.name seed) defs)))) 


Proof steps find the focus of a claim and 
the premises based on a path constructed 
as a list of directions : ’Q, ’A, ’E, or a 

positive natural number, just like a walk¬ 
ing path is constructed from the directions 
North, South, East, and West. Now that 
we have reached the final focus, we con¬ 
sider the second argument of the proof 
step: (name arg . . .). Next we substitute 
the variables of the associated conclusion— 
either a theorem body or a rewrite associ¬ 
ated with applying a function—with the 
arguments (arg . . .), thus producing an 
instantiated conclusion. 

Before we are permitted to use this 
instantiated theorem, we must check the 
premises with follow-prems against the 
instantiated theorem. This leads to an 
equality as the instantiated conclusion that 
represents two provably equal expressions. 


(defun find-focus-at-direction (dir e) 

(if (equal dir ’Q) 

(if.Q e) 

(if (equal dir ’A) 

(if.A e) 

(if (equal dir ’E) 

(if.E e) 

(get-arg dir (app.args e)))))) 

(defun rewrite-focus-at-direction (dir el e2) 
(if (equal dir ’Q) 

(if-c e2 (if.A el) (if.E el)) 

(if (equal dir ’A) 

(if-c (if.Q el) e2 (if.E el)) 

(if (equal dir ’E) 

(if-c (if.Q el) (if.A el) e2) 

(app-c (app.name el) 

(set-arg dir (app.args el) e2)))))) 

(defun focus-is-at-direction? (dir e) 

(if (equal dir ’Q) 

(if? e) 

(if (equal dir ’A) 

(if? e) 

(if (equal dir ’E) 

(if? e) 

(if (app? e) 

(<=len dir (app.args e)) 

’nil))))) 

(defun focus-is-at-path? (path e) 

(if (atom path) 

’t 

(if (focus-is-at-direction? (car path) e) 

(focus-is-at-path? (cdr path) 

(find-focus-at-direction (car path) e)) 
’nil))) 

(defun find-focus-at-path (path e) 

(if (atom path) 
e 

(find-focus-at-path (cdr path) 

(find-focus-at-direction (car path) e)))) 

(defun rewrite-focus-at-path (path el e2) 

(if (atom path) 
e2 

(rewrite-focus-at-direction (car path) el 
(rewrite-focus-at-path (cdr path) 

(find-focus-at-direction (car path) el) 
e2)))) 
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(defun prem-A? (prem path e) 

(if (atom path) 

’nil 

(if (equal (car path) ’A) 

(if (equal (if.Q e) prem) 

’t 

(prem-A? prem (cdr path) 

(find-focus-at-direction (car path) 
e))) 

(prem-A? prem (cdr path) 

(find-focus-at-direction (car path) 
e))))) 

(defun prem-E? (prem path e) 

(if (atom path) 

’nil 

(if (equal (car path) ’E) 

(if (equal (if.Q e) prem) 

’t 

(prem-E? prem (cdr path) 

(find-focus-at-direction (car path) 
e))) 

(prem-E? prem (cdr path) 

(find-focus-at-direction (car path) 
e))))) 

(defun follow-prems (path e thm) 

(if (if? thm) 

(if (prem-A? (if.Q thm) path e) 
(follow-prems path e (if.A thm)) 

(if (prem-E? (if.Q thm) path e) 
(follow-prems path e (if.E thm)) 
thm)) 
thm)) 


The function apply-op applies an operator 
to a list of values and returns a value. 


(defun unary-op (rator rand) 

(if (equal rator ’atom) 

(atom rand) 

(if (equal rator ’car) 

(car rand) 

(if (equal rator ’cdr) 

(cdr rand) 

(if (equal rator ’natp) 
(natp rand) 

(if (equal rator ’size) 
(size rand) 

’nil)))))) 


(defun binary-op (rator randl rand2) 

(if (equal rator ’equal) 

(equal randl rand2) 

(if (equal rator ’cons) 

(cons randl rand2) 

(if (equal rator ’+) 

(+ randl rand2) 

(if (equal rator ’<) 

(< randl rand2) 

’nil))))) 

(defun apply-op (rator rands) 

(if (member? rator ’(atom car cdr natp size)) 
(unary-op rator (eleml rands)) 

(if (member? rator ’(equal cons + <)) 
(binary-op rator 
(eleml rands) 

(elem2 rands)) 

’nil))) 


When a proof step's application refers to 
an operator, eval-op produces an expres¬ 
sion representing the value of that appli¬ 
cation, and rands function extracts the 
values of the operator’s quoted arguments. 


(defun rands (args) 

(if (atom args) 

’() 

(cons (quote.value (car args)) 
(rands (cdr args))))) 

(defun eval-op (app) 

(quote-c 

(apply-op (app.name app) 

(rands (app.args app))))) 


The proof steps rewrite the focus within a 
claim to one that is provably equal to it. 
There are three kinds of proof steps as is 
evident in the definition of equality/def. 
A proof step may use the operators (equal, 
atom, car, cdr, cons, natp, size, +, or <) 
applied to quoted values, yielding a quoted 
value; the definition of a function; or a 
possibly conditional equality in any defined 
theorem. In each proof step, J-Bob pro¬ 
duces two expressions that may be rewrit¬ 
ten to each other. 

These two expressions are then passed 
along to equality with the final focus. 
This function checks whether either ex¬ 
pression is equal to the final focus. 
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If so, equality performs the rewrite 
by returning the other expression as the 
new focus. If not, the proof step has 
failed and equality returns the final fo¬ 
cus unchanged. In either case, we are 
left to expand out the context around this 
possibly new focus. Thus, as the recur¬ 
sion of equality/path cautiously unwinds 
into rewrite-focus-at-direction, we go 
backwards one direction at a time, rebuild¬ 
ing the original context yielding either a 
new claim with the new focus or the origi¬ 
nal claim. 

(defun app-of-equal? (e) 

(if (app? e) 

(equal (app.name e) ’equal) 

’nil)) 

(defun equality (focus a b) 

(if (equal focus a) 
b 

(if (equal focus b) 
a 

focus))) 

(defun equality/equation (focus concl-inst) 

(if (app-of-equal? concl-inst) 

(equality focus 

(eleml (app.args concl-inst)) 

(elem2 (app.args concl-inst))) 
focus)) 

(defun equality/path (e path thm) 

(if (focus-is-at-path? path e) 

(rewrite-focus-at-path path e 
(equality/equation 

(find-focus-at-path path e) 

(follow-prems path e thm))) 

e)) 


(defun equality/def (claim path app def) 

(if (rator? def) 

(equality/path claim path 

(app-c ’equal (list2 app (eval-op app)))) 
(if (defun? def) 

(equality/path claim path 
(sub-e (defun.formals def) 

(app.args app) 

(app-c ’equal 
(list2 

(app-c (defun.name def) 

(defun.formals def)) 

(defun.body def))))) 

(if (dethm? def) 

(equality/path claim path 
(sub-e (dethm.formals def) 

(app.args app) 

(dethm.body def))) 
claim)))) 


The function rewrite/steps rewrites the 
given claim according to each proof step 
in the list of suggested proof steps, stop¬ 
ping either when there are no more proof 
steps or when a proof step fails. A proof 
step is considered to fail when it rewrites 
a claim to the same claim. The function 
rewrite/continue passes the new claim 
that results from the first proof step to 
rewrite/steps and the old claim. 

(defun rewrite/step (defs claim step) 

(equality/def claim (eleml step) (elem2 step) 
(lookup (app.name (elem2 step)) defs))) 

(defun rewrite/continue (defs steps old new) 

(if (equal new old) 
new 

(if (atom steps) 
new 

(rewrite/continue defs (cdr steps) new 
(rewrite/step defs new (car steps)))))) 

(defun rewrite/steps (defs claim steps) 

(if (atom steps) 
claim 

(rewrite/continue defs (cdr steps) claim 
(rewrite/step defs claim (car steps))))) 
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(defun rewrite/prove (defs def seed steps) 

(if (defun? def) 

(rewrite/steps defs 

(totality/claim seed def) 
steps) 

(if (dethm? def) 

(rewrite/steps defs 

(induction/claim defs seed def) 
steps) 

(quote-c ’nil)))) 

(defun rewrite/prove+1 (defs pf e) 

(if (equal e (quote-c ’t)) 

(rewrite/prove defs (eleml pf) (elem2 pf) 
(cdr (cdr pf))) 
e)) 

(defun rewrite/prove+ (defs pfs) 

(if (atom pfs) 

(quote-c ’t) 

(rewrite/prove+1 defs (car pfs) 
(rewrite/prove+ 

(list-extend defs (eleml (car pfs))) 
(cdr pfs))))) 


(defun rewrite/define (defs def seed steps) 

(if (equal (rewrite/prove defs def seed steps) 

(quote-c ’t)) 

(list-extend defs def) 
defs)) 

(defun rewrite/define+1 (defsl defs2 pfs) 

(if (equal defsl defs2) 
defsl 

(if (atom pfs) 
def s2 

(rewrite/define+1 defs2 
(rewrite/define defs2 
(eleml (car pfs)) 

(elem2 (car pfs)) 

(cdr (cdr (car pfs)))) 

(cdr pfs))))) 

(defun rewrite/define+ (defs pfs) 

(if (atom pfs) 
defs 

(rewrite/define+1 defs 
(rewrite/define defs 
(eleml (car pfs)) 

(elem2 (car pfs)) 

(cdr (cdr (car pfs)))) 

(cdr pfs)))) 

Our proof assistant, J-Bob, has an inter¬ 
active front-end: J-Bob/prove. It accepts 
a list of established definitions (theorems 
or functions) and a list of proof attempts. 
Each proof attempt is a list of two or more 
elements: a proposed definition (defun or 


dethm), a seed (measure expression or in¬ 
duction scheme), and zero or more proof 
steps. A proof step specifies a justification 
for an individual rewrite contributing to a 
proof that the proposed theorem is true or 
that the proposed function is total. 

J-Bob/prove processes proof attempts 
in reverse order, attempting the last one 
first, similarly to how we prove align’s to¬ 
tality claim first in chapter 10 before re¬ 
turning to natp/wt and positive/wt. If a 
proof fails at any point, rewrite/prove+ 
stops and produces the result of the last 
correct rewrite. Otherwise it produces the 
final quoted expression ”t. 

J-Bob/def ine is designed to extend an 
existing set of definitions with a list of defi¬ 
nitions if the corresponding proof attempts 
succeed. Finally, J-Bob/step processes a 
sequence of rewriting steps in order with¬ 
out any proof attempt. As in the recess 
of chapter 2, this can be used to explore 
rewriting without an explicit goal of ”t. 



The Little Assistant 


213 







(defun axioms () 

’((dethm atom/cons (x y) 

(equal (atom (cons x y)) ’nil)) 

(dethm car/cons (x y) 

(equal (car (cons x y)) x)) 

(dethm cdr/cons (x y) 

(equal (cdr (cons x y)) y)) 

(dethm equal-same (x) 

(equal (equal x x) ’t)) 

(dethm equal-swap (x y) 

(equal (equal x y) (equal y x))) 

(dethm if-same (x y) 

(equal (if x y y) y)) 

(dethm if-true (x y) 

(equal (if ’t x y) x)) 

(dethm if-false (x y) 

(equal (if ’nil x y) y)) 

(dethm if-nest-E (x y z) 

(if x ’t (equal (if x y z) z))) 

(dethm if-nest-A (x y z) 

(if x (equal (if x y z) y) ’t)) 

(dethm cons/car+cdr (x) 

(if (atom x) 

’t 

(equal (cons (car x) (cdr x)) x))) 

(dethm equal-if (x y) 

(if (equal x y) (equal x y) ’t)) 

(dethm natp/size (x) 

(equal (natp (size x)) ’t)) 

(dethm size/car (x) 

(if (atom x) 

’t 

(equal (< (size (car x)) (size x)) ’t))) 
(dethm size/cdr (x) 

(if (atom x) 

’t 

(equal (< (size (cdr x)) (size x)) ’t))) 
(dethm associated (a b c) 

(equal (+ (+ a b) c) (+ a (+ b c)))) 

(dethm commute-+ (x y) 

(equal (+ x y) (+ y x))) 

(dethm natp/+ (x y) 

(if (natp x) 

(if (natp y) 

(equal (natp (+ x y)) ’t) 

’t) 

’t)) 

(dethm positives-+ (x y) 

(if (< ’0 x) 

(if (< ’0 y) 

(equal (< ’0 (+ x y)) ’t) 

’t) 

’t)) 

(dethm common-addends-< (x y z) 

(equal (< (+ x z) (+ y z)) (< x y))) 

(dethm identity-+ (x) 

(if (natp x) (equal (+ ’0 x) x) ’t)))) 


The function axioms produces a list of 
the axioms we use in the preceding chap¬ 
ters, and prelude extends it with the 
definitions and proofs of totality claims 
of list-induction and star-induction 
used for List Induction and Star Induction, 
respectively. 

(defun prelude () 

(J-Bob/define (axioms) 

’(((defun list-induction (x) 

(if (atom x) 

’() 

(cons (car x) 

(list-induction (cdr x))))) 

(size x) 

((A E) (size/cdr x)) 

((A) (if-same (atom x) ’t)) 

((Q) (natp/size x)) 

(() (if-true ’t ’nil))) 

((defun star-induction (x) 

(if (atom x) 
x 

(cons (star-induction (car x)) 
(star-induction (cdr x))))) 

(size x) 

((A E A) (size/cdr x)) 

((A E Q) (size/car x)) 

((A E) (if-true ’t ’nil)) 

((A) (if-same (atom x) ’t)) 

((Q) (natp/size x)) 

(() (if-true ’t ’nil)))))) 
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We hope that you have enjoyed reading this book, and have enjoyed playing with our 
proof assistant J-Bob. If you want to find out more about proofs and logic, there are 
several options for where to turn next. 

J-Bob is named after J Moore and Bob Boyer, who wrote one of the earliest 
mechanical theorem provers called Nqthm. The modern version of Nqthm, written by 
J Moore and Matt Kaufmann, is called ACL2. ACL2 allows you to play with theorems 
like you can in J-Bob, but does a lot of the “heavy lifting” for you. That way you 
can prove more complicated theorems with less effort. In fact, ACL2 can prove every 
totality claim and theorem in this book given only the relevant defuns and dethms. It 
does all the rest of the work for you. 

ACL2 can be found at http://www.cs.utexas.edu/users/moore/acl2/. For a 
simple user interface to ACL2, try “Dracula,” available at http://dracula-lang.org/, 
which adds tools such as syntax checking, automated testing, and the ability to prove 
theorems about programs that use pictures and animations. For access to more powerful 
ACL2 features, check out the “ACL2 Sedan” at http://acl2s.ccs.neu.edu/acl2s/ 
doc/, which adds even more automation to totality proofs and supports the full range 
of ACL2’s features. 

J-Bob and ACL2 are not the only kind of mechanical theorem provers that exist. 
There are many others that support different languages of expressions. Examples include 
Agda (http://wiki.portal.chalmers.se/agda/), Coq (http://coq.inria.fr/), 
Isabelle/HOL (http://www.cl.cam.ac.uk/research/hvg/Isabelle/), PVS (http: 
//pvs . csl. sri. com/), and Twelf (http://twelf.org/). 

We can also recommend some further reading on the topic of proofs and logic. The 
modern founder of the use of recursion in Logic is Thoralf Albert Skolem. In Skolem’s 
1919 paper (published in 1923), he observed that one could use the recursive mode of 
thought to avoid “some” used in Whitehead and Russell’s Principia Mathematica. The 
ideas of this paper were important to the development of the Boyer-Moore Theorem 
Prover. Among other books that we think you might find worthwhile are the books on 
Logic and Mathematics mentioned below. Not all the books are easy to find or to read, 
but most have survived the test of time. 


R. S. Boyer and J S. Moore. A Computational Logic. Academic Press, Inc., New 
York, 1979. 


A. Chlipala. Certified Programming with Dependent Types. MIT Press, 2013. 

J. N. Crossley, C. J. Ash, C. J. Brickhill, J. C. Stillwell, and N. H. Williams. What 
is Mathematical Logic? Oxford University Press, 1972. 

M. Kaufmann, P. Manolios, and J S. Moore. Computer Aided Reasoning: An 
Approach. Kluwer Academic Publishers, 2000. 


D. MacKenzie. Mechanizing Proof: Computing, Risk, and Trust. MIT Press, 
2004. 
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J. McCarthy. A Basis for a Mathematical Theory of Computation. In P. Braffort 
and D. Hershberg (Eds.), Computer Programming and Formal Systems. North- 
Holland Publishing Company, Amsterdam, The Netherlands, 1963. 

E. Mendelson. Introduction to Mathematical Logic. D. Van Nostrand Company, 
Inc., Princeton, New Jersey, 1964. 

R. Peter. Recursive Functions Third Revised Edition. Academic Press, New York, 
1967. 

Pierce, B. C., et al. Software Foundations. http://www.cis.upenn.edu/ 
~bcpierce/sf (2010-2015). 

T. A. Skolem. The foundations of elementary arithmetic established by means of 
the recursive mode of thought, without the use of apparent variables ranging over 
infinite domains, in From Frege to Godel: A Source Book in Mathematical Logic, 
1879-1931 (Jean van Heijenoort, ed.), pages 302-333. Harvard Univ. Press, 1967. 
Paper written in 1919 and appeared in published form in 1923. 

P. Suppes. Introduction to Logic. D. Van Nostrand Company, Inc., Princeton, 
New Jersey, 1957. 

M. Wand. Induction, Recursion, and Programming. Elsevier North Holland, Inc., 
1980. 

A. N. Whitehead and B. Russell. Principia Mathematica. Cambridge: Cambridge 
University Press, in 3 vols, 1910, 1912, 1913. Second edition, 1925 (Vol. 1), 1927 
(Vols 2, 3). Abridged as Principia Mathematica to *56, Cambridge University 
Press, 1962. 
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Afterword 


In January 1984, I went to Indiana to get my PhD from Dan Friedman. Among 
other ideas, he was well known for The Little LIS Per , which everybody used to teach 
recursion. Back then, recursion seemed so complicated, but Dan’s book helped everyone 
understand it. 

A year later, Dan put me to work on a revision of The Little LISPer. It had aged 
a bit since its first appearance in 1974, and I had proposed some small improvements 
that he liked. We spent nine long months working it all out. For me, as a second year 
graduate student, it was an exhilarating experience. Working with Dan, I learned a 
lot about how to take a research insight and think it over until the explanation was 
accessible to freshman students. 

Fast forward. In the spring of 2008, I proposed a novel kind of freshman course that 
would explain the role of logic and theorem proving in programming. I asked two of my 
PhD students, Dale Vaillancourt and Carl Eastlund, to join me. Our goal was to develop 
a course in which students would first program functions like sub, add-atoms, plus some 
small video games and then make up and prove theorems about them. We used the 
ACL2 proof assistant, a brilliant system for true experts, but it became clear quickly 
that freshman students needed a simple way to interact with this complex system. 

Carl took on the task of creating an interactive development environment in which 
students could create programs and proofs together. We also continued to think about 
how to teach the material. I eventually realized that we needed Dan’s way of studying, 
twisting, refining this material. So I discussed the project with him, and he suggested 
the Little book approach. But Little books have always been Dan’s forte, and Carl 
had acquired a deeper understanding of ACL2 than most people on the planet. What 
would be more natural than for the two of them, for “grandfather” and “grandson,” to 
co-author a Little book? 

The Little Prover is the result of this collaboration. Like all of its predecessors, the 
book distills a topic to its essential elements. Here you find out about the mechanical 
method of using structural induction in proofs, which is critical for all current appli¬ 
cations of logic to programming, and the J-Bob proof assistant, which can check such 
proofs. Study this book, work through it, and you will comprehend. And all you need 
to get through the book, is an understanding of The Little LISPer. 

Now I have come full circle. I enjoyed the journey, and I hope you did, too. 


Matthias Felleisen 
Boston, Massachusetts 
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see quote 

0,4 

., see dotted pair 
<=len, see J-Bob 
<=len-from, see J-Bob 

A, see if answer 
ACL2, 203 

add-atoms, see function 
align, see function 
align/align, see theorem 
answer, see if answer 
app-arity?, see J-Bob 
app-c, see J-Bob 
app-of-equal?, see J-Bob 
app.args, see J-Bob 
app.name, see J-Bob 
app?, see J-Bob 
apply-op, see J-Bob 
args-arity?, see J-Bob 
arity?, see J-Bob 
associate—h, see axiom 
atom, see operator 
atom/cons, see axiom 
atoms, see function 
attention, 20 
axiom, 7, 7, 8 

associate—h, 148 
atom/cons, 5, 8, 26 
car/cons, 6, 8, 12, 26 
cdr/cons, 6, 8, 26 
common-addends-<, 148 
commute--!-, 148 


cons/car+cdr, 25, 26 
equal-if, 17, 18 
equal-same, 9, 10, 18 
versus equal, 17 
equal-swap, 9, 10, 18 
identity—h, 148 
if-false, 15, 27 
if-nest-A, 27, 29 
if-nest-E, 27, 30 
if-same, 15, 27 
in reverse, 16 
if-true, 15, 17, 27 
natp/+, 148 
natp/size, 53 
positives—h, 148 
size/car, 53 
size/cdr, 53 
axioms, see J-Bob 
Axioms of 

+ and <, 148 
Cons, 8, 26 
Equal, 10, 18 
If, 15, 27 
Size, 53 

binary-op, see J-Bob 
black, 5 
blue, 5 

bound?, see J-Bob 

car, see operator 
car/cons, see axiom 
cdr, see operator 
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cdr/cons, see axiom 
claim, 33, 34 

totality, see totality claim 
common-addends-<, see axiom 
commute-+, see axiom 
conclusion, 18, 19 
condition, 18, 22-24 
conjunction, 111, 113 
conjunction, see J-Bob 
cons, see operator 
cons/car+cdr, see axiom 
Constructing Totality Claims, 113 
context, 5 

contradiction, see theorem 
counterexample, 118, 144, 157 
ctx?, see function 
ctx?/sub, see theorem 
ctx?/t, see theorem 

def-contents?, see J-Bob 
def.formals, see J-Bob 
def.name, see J-Bob 
def?, see J-Bob 
defs?, see J-Bob 

defun, xii, see also The Law of Defun 

Defun Induction, 124, 118-127, 157 

defun-c, see J-Bob 

defun.body, see J-Bob 

defun.formals, see J-Bob 

defun.name, see J-Bob 

defun?, see J-Bob 

dethm, xiii, 8, 12, see also The Law of 

Dethm 

dethm-c, see J-Bob 
dethm.body, see J-Bob 
dethm.formals, see J-Bob 
dethm.name, see J-Bob 
dethm?, see J-Bob 
direction?, see J-Bob 
dotted pair, 115 
dotted pairs, 139-141, 145-146 

E, see if else 
eleml, see J-Bob 


elem2, see J-Bob 
elem3, see J-Bob 

else, see if else 
equal, 3 

both directions, 10 
equal, see operator 
equal-if, see axiom 
equal-same, see axiom 
equal-swap, see axiom 
equality, see J-Bob 
equality/def, see J-Bob 
equality/equation, see J-Bob 
equality/path, see J-Bob 
eval-op, see J-Bob 
evaluate, xi 
expr-recs, see J-Bob 
expr?, see J-Bob 
expression, xii, 3 
exprs-recs, see J-Bob 
exprs?, see J-Bob 
extend-rec, see J-Bob 

find-focus-at-direction, see J-Bob 
find-focus-at-path, see J-Bob 
first-of, see function 
first-of-pair, see theorem 
focus, 5 

whole expression, 6 

focus-is-at-direction?, see J-Bob 
focus-is-at-path?, see J-Bob 
follow-prems, see J-Bob 
food, xiii 

formals?, see J-Bob 
function, xii, see also operator 
add-atoms, 108-113, 115, 192 
align, 142, 141-145, 147-156, 197, 
200 

application, xii 
atom, 45 

atoms, 108, 115, 193 
built-in, xii 
ctx?, 89-90, 188 
equal, 43 
first-of, 33, 183 
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in-pair?, 36 
index2, 46 

list-induction, 125, 178 
listO?, 43-44, 184 
listl?, 44-45, 184 
Iist2?, 46-184 
Iist3?, 50 
list?, 50-54, 185 
measure, 52 
memb?, 59, 60, 185 
measure, 59 
member?, 107, 192 
pair, 33, 183 
partial, 47 
totality claim, 57 
remb, 59, 60-61, 185 
rembmeasure, 60 
rotate, 140, 139-140, 196 
second-of, 33, 183 
set?, 107, 108, 192 
star-induction, 125, 179 
sub, 56, 55-56, 90 
sub?, 185 

wt, 146, 145-147, 197 

get-arg, see J-Bob 
get-arg-from, see J-Bob 

identity--!-, see axiom 
if, xii, 15, 45, 94, see also Axioms of If 
answer, xii, 16 
else, xii, 16 
question, xii, 16 

If Lifting, 28-31, 66-67, 67, 72, 81, 92, 

93, 98, 99, 103, 104, 126, 128, 
130, 131 
if-c, see J-Bob 

if-c-when-necessary, see J-Bob 
if-false, see axiom 
if-nest-A, see axiom 
if-nest-E, see axiom 
if-QAE, see J-Bob 
if-same, see axiom 
if-true, see axiom 


if.A, see J-Bob 
if.E, see J-Bob 
if.Q, see J-Bob 
if?, see J-Bob 
implication, 122 
implication, see J-Bob 
in-first-of-pair, see theorem 
in-pair?, see function 
in-second-of-pair, see theorem 
induction, xi, 77 

defun, see Defun Induction 
on lists, see List Induction 
on nested conses, see Star Induc¬ 
tion 

induction-scheme-for?, see J-Bob 
induction-scheme?, see J-Bob 
induction/claim, see J-Bob 
induction/defun, see J-Bob 
induction/if, see J-Bob 
induction/prems, see J-Bob 
inductive claim, 119-124 
inductive premise, 79, 82, 99, 100, 104, 

117-118, 120-121, 124, 134, 
157, 161, 163 
constructing, 121 
Insight 

Build Up to Induction Gradually, 

86 

Combine Ifs, 92 

Don’t Touch Inductive Premises, 

83 

Helper Theorems for Induction, 95 
Helper Theorems for Repetition, 

144 

Know Theorems and Axioms, 69 
Pull Ifs Outward, 68 
Rewrite from the Inside Out, 63 
Skip Irrelevant Expressions, 39 

J-Bob, xiii, 165-179, 203-215 

<=len, 206 
<=len-from, 206 
app-arity?, 205 
app-c, 204 
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app-of-equal?, 212 

app.args, 204 

app.name, 204 

app?, 204 

apply-op, 211 

args-arity?, 205 

arity?, 206 

axioms, 214 

binary-op, 211 

bound?, 205 

conjunction, 205 

def-contents?, 208 

def.formals, 205 

def.name, 205 

def?, 208 

defs?, 208 

defun-c, 204 

defun.body, 204 

defun.formals, 204 

defun.name, 204 

defun?, 204 

dethm-c, 204 

dethm.body, 204 

dethm.formals, 204 

dethm.name, 204 

dethm?, 204 

direction?, 207 

eleml, 204 

elem2, 204 

elem3, 204 

equality, 212 

equality/def, 212 

equality/equation, 212 

equality/path, 212 

eval-op, 211 

expr-recs, 209 

expr?, 206 

exprs-recs, 209 

exprs?, 206 

extend-rec, 208 

find-focus-at-direction, 210 

find-focus-at-path, 210 

focus-is-at-direction?, 210 


focus-is-at-path?, 210 
follow-prems, 211 
formals?, 206 
get-arg, 206 
get-arg-from, 206 
if-c, 204 

if-c-when-necessary, 205 

if-QAE, 205 

if.A, 204 

if.E, 204 

if.Q, 204 

if?, 204 

implication, 205 
induction-scheme-for?, 207 
induction-scheme?, 207 
induction/claim, 210 
induction/defun, 210 
induction/if, 210 
induction/prems, 210 
J-Bob/define, 173, 213 
J-Bob/prove, 171, 213 
J-Bob/step, 167, 213 
list-extend, 206 
list-union, 206 

listO, 204 
listO?, 204 
listl, 204 
Iist 1 ?, 204 
Iist2, 204 
list2-or-more?, 208 
Iist2?, 204 
Iist3, 204 
Iist3?, 204 
lookup, 205 
member?, 204 
path?, 207 
prelude, 214 
prem-A?, 211 
prem-E?, 211 
proof?, 208 
proofs?, 208 
QAE-if, 205 
quote-c, 204 
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quote.value, 204 
quote?, 204 
quoted-exprs?, 207 
rands, 211 
rator.formals, 205 
rator?, 205 

rewrite-focus-at-direction, 210 

rewrite-focus-at-path, 210 

rewrite/continue, 212 

rewrite/define, 213 

rewrite/define-b, 213 

rewrite/define-b 1, 213 

rewrite/prove, 213 

rewrite/prove+, 213 

rewrite/prove-h 1, 213 

rewrite/step, 212 

rewrite/steps, 212 

seed?, 207 

set-arg, 206 

set-arg-from, 206 

step-app?, 207 

step-args?, 207 

step?, 207 

steps?, 207 

sub-e, 208 

sub-es, 208 

sub-var, 208 

subset?, 206 

tag, 204 

tag?, 204 

totality/<, 209 

totality/claim, 209 

totality/if, 209 

totality/meas, 209 

unary-op, 211 

undefined?, 205 

untag, 204 

var?, 204 

J-Bob/define, see J-Bob 

J-Bob/prove, see J-Bob 

J-Bob/step, see J-Bob 

jabberwocky, 20 

The Law of Defun, 34, 47 


The Law of Dethm, 12, 18 
condition, see condition 
list, xii, 43, 50 
circular, 50 

improper, see dotted pair 
infinite, 50 

List Induction, 78, 86, 124 
list-extend, see J-Bob 
list-induction, see function 
list-union, see J-Bob 
listO, see J-Bob 

listO?, see function, see also J-Bob 
listl, see J-Bob 

listl?, see function, see also J-Bob 
Iist2, see J-Bob 
list2-or-more?, see J-Bob 
Iist2?, see function, see also J-Bob 
Iist3, see J-Bob 

Iist3?, see function, see also J-Bob 
list?, see function 
literal, xii 

The Little LISPer , 3 
The Little Schemer , 3 

lookup, see J-Bob 

measure, 51, 52, 109-113 
memb?, see function 
memb?/remb, see theorem 
memb?/rembO, see theorem 
memb?/rembl, see theorem 
memb?/remb2, see theorem 
memb?/remb3, see theorem 
member?, see function, see also J-Bob 

natp/+, see axiom 

natp/size, see axiom 

natp/wt, see theorem 

natural number, xii, 53, 113 

natural recursion, 77, 78, 79, 90, 117— 

118, 161 

nil, 3 

notation, xii 
operator, 45 
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+, 146, see also Axioms of + and 

< 

<, 113, see also Axioms of + and 

< 

atom, 4, see also Axioms of Cons 
car, 3, see also Axioms of Cons 
cdr, 3, see also Axioms of Cons 
cons, 3, see also Axioms of Cons 
dotted, see dotted pair 
equal, 8, see also Axioms of Equal 
versus equal-same, 17 
natp, 53, 113 

size, 52, see also Axioms of Size 
orange, 20 
ordinal number, 126 

pair, see function 
partial, see function 
partial function, 47 
path?, see J-Bob 
positive/wt, see theorem 
positives—h, see axiom 
prelude, 165 
prelude, see J-Bob 
prem-A?, see J-Bob 
prem-E?, see J-Bob 
premise, 20 

inductive, see inductive premise 
proof, 34 

proof assistant, xiii 
proof attempt, 171 
Proof by 

Induction, 100 

List Induction, see List Induction 
Star Induction, see Star Induction 
proof?, see J-Bob 
proofs?, see J-Bob 
prove, 34 

Q, see if question 
QAE-if, see J-Bob 
question, see if question 
quote, xii, 3 
quote-c, see J-Bob 


quote.value, see J-Bob 
quote?, see J-Bob 
quoted-exprs?, see J-Bob 

rands, see J-Bob 
rator.formals, see J-Bob 
rator?, see J-Bob 
recursion, 50, 77, 79 

natural, see natural recursion 
recursive function, xi 
remb, see function 
reverse, xi 
rewrite, 3 

rewrite-focus-at-direction, see J-Bob 
rewrite-focus-at-path, see J-Bob 
rewrite/continue, see J-Bob 
rewrite/define, see J-Bob 
rewrite/define-b, see J-Bob 
rewrite/define+l, see J-Bob 
rewrite/prove, see J-Bob 
rewrite/proved-, see J-Bob 
rewrite/prove+1, see J-Bob 
rewrite/step, see J-Bob 
rewrite/steps, see J-Bob 
rotate, see function 
rotate/cons, see theorem 

Scheme, 203 
second-of, see function 
second-of-pair, see theorem 
seed, 171 

induction 

on lists, see list-induction 
on nested conses, see star- 
induction 
measure, 176 
recursive function, 176 
seed?, see J-Bob 
set-arg, see J-Bob 
set-arg-from, see J-Bob 
set?, see function 

set?/add-atoms, see theorem, see theo¬ 
rem 

set?/atoms, see theorem 
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set?/nil, see theorem 
set?/t, see theorem 
size/car, see axiom 
size/cdr, see axiom 
Star Induction, 91, 116, 124 
star-induction, see function 
step, 5, 34, 165 
step-app?, see J-Bob 
step-args?, see J-Bob 
step?, see J-Bob 
steps?, see J-Bob 
sub, see function 
sub-e, see J-Bob 
sub-es, see J-Bob 
sub-var, see J-Bob 
subset?, see J-Bob 
symbol, xii 

t, 4 

tag, see J-Bob 
tag?, see J-Bob 
theorem, xiii, 8, 34 

align/align, 157-163, 201 
contradiction, 47-50, 184 
ctx?/sub, 90-100, 190 
ctx?/t, 95, 100-104, 190 
first-of-pair, 33-35, 183 
helper, 95, 116, 119, 129, 131, 141, 
147, 150 
if-false, 49 

in-first-of-pair, 36-38, 184 
in-pair?, 183 

in-second-of-pair, 38-40, 184 


memb?/remb, 78-85, 187 
memb?/remb0, 61-62, 186 
memb?/rembl, 63-70, 186 
memb?/remb2, 71-74, 187 
memb?/remb3, 75 
natp/wt, 147, 200 
positive/wt, 150, 200 
rotate/cons, 140-141, 197 
second-of-pair, 35-36, 183 
set?/add-atoms, 116-117, 119- 

134, 136, 193, 195 
set?/atoms, 116, 134-136, 193, 195 
set?/nil, 131, 195 
set?/t, 129, 195 
total, 43, 47 

totality claim, 53, 108-113, see also 

Constructing Totality Claims 
non-recursive function, 55 
totality/<, see J-Bob 
totality/claim, see J-Bob 
totality/if, see J-Bob 
totality/meas, see J-Bob 

unary-op, see J-Bob 
undefined?, see J-Bob 
untag, see J-Bob 

value, 3 

finite, 50 
var?, see J-Bob 
variable, xii, 16 

wt, see function 
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